In this chapter, we will be discussing the critical requirement to classify and map data. As I discussed in the previous chapter, laws, regulations, and industry standards are placing greater emphasis on knowing the types of data and its governance within organizations. Before focusing on data governance, let’s take a quick detour to the world of economics.
Transaction costs, according to economists, influence which functions are handled internally within the organization or outsourced to an external provider. When transaction costs are high, there is a tendency to maintain these activities internally. When transaction costs are low, these functions will likely be transferred to more cost-effective, external providers. What we have seen over the last twenty-plus years is the widespread reduction of transaction costs for many core enterprise functions and across many industries including healthcare, financial services, manufacturing, and professional services. Outsourcing of wide-scale functions has recently been complemented by outsourcing of niche activities at the margin (think shadow IT). As an economist will note, most everything happens at the margin. So what does this have to do with cybersecurity? Everything.
For the CISO today, it has never been more important to understand the types of information moving in and out of the organization. The effect of reduced transaction costs, coupled with new technologies such as mobile telephony and cloud services, has introduced significant challenges for CISOs charged with protecting organizational assets, including information and data. Let’s take a few moments to understand how pervasive outsourcing of certain functions is in today’s economy, and its impact on knowing where our data resides.
Most organizations have a number of basic departments including human resources, finance and accounting, sales and marketing, information technology (IT), operations (including manufacturing), and legal. The reduction of transaction costs related to core activities within these departments has effectively made the organizational boundary semi-permeable. What is outside the organization is now inside, and what’s inside is now outside. Those of us in security feel this viscerally when we think of our own organization’s perimeter. It’s hard to find and nearly impossible to secure.
Where’s Our Data?
Let’s look at some concrete examples of how fluid information is within, and more importantly, outside an organization. It’s not uncommon for organizations to outsource their payroll services to third-party processing organizations. Payroll data includes important uniquely-identifiable information, including employees’ social security numbers (SSNs), salaries, dates of birth, and addresses. That same organization may also outsource its accounting function. The accounting firm would have access to sensitive financial information including profit and loss detail, the value of assets, and the particulars about significant transactions. External auditors will validate the financial information prepared by the firm and may request samples of specific transactions to support their assertions regarding the quality of the financial reporting.
The organization may leverage external legal counsel to file patent applications, handle merger and acquisition (M&A) activities, and other highly-sensitive projects. A third-party marketing application sends e-mails to clients and prospective clients containing personally-identifiable information (the name and e-mail address of the recipients). Independent contractors may be providing support on key projects with access to material non-public information. Manufacturing may be outsourced to a contract manufacturer in another country. The manufacturer could be using patented processes or other intellectual property of the organization. Application development could be handled by an external DevOps team given real production data to test functionality.
The organization’s applications reside in multiple locations across multiple states and in several countries. Some applications and data are “in the cloud” and many lines of business, given the response challenges with traditional IT, use SaaS services to meet their requirements. Employees have personal mobile phones that they use to receive e-mail outside of the office. This e-mail includes attachments containing any number of data elements. Employees also bring their devices to work and take these devices with them when they leave the office each day or are terminated from the firm. Employees use third-party file-sharing tools, personal e-mail accounts, and external media to store information. Suffice it to say that the average organization simply does not know where its critical data and information are and, equally important, how they are being protected, if at all, outside the organization.
All of these challenges are fundamentally the same for third parties providing outsourced services. They too have third parties helping with their core functions. Payroll processing companies…
Copyright © 2016 CISO DRG JV – All Rights Reserved.