The task of changing how an organization responds and reacts to data security and privacy initiatives is a large undertaking; it will take time before you see results. In fact, it can take anywhere from one year to three or more years to see tangible outcomes, depending on the size of the organization, IT's relationship with the business and executive support.
This is why it is important to embrace continuous improvement. Some security and risks professionals dismiss continuous improvement (CI) as a fluffy business exercise. Security leaders -- knowing that attitudes about data security and privacy change slowly -- recognize that CI is a powerful tool for security and risk. Organizations can use CI to identify the root cause of a security issue and implement a fix. However, CI is ultimately about organizational transformation.
Security leaders can choose from a slew of CI programs out there designed to improve the quality of products and services or efficiency of processes, such as Six Sigma, kaizen and kieffer. CI initiatives for data security and privacy can help drive deep process, cultural and behavioral change within the organization by: 1) establishing key processes to embed security and privacy mindfulness; 2) creating a culture of importance and respect for data security and privacy; and 3) empowering security teams to stop data exfiltration.
The task of changing how an organization responds and reacts to data security and privacy initiatives is a large undertaking; it will take time before you see results.
Heidi Shey, analyst, Forrester Research
There are really only two types of data in your organization: data that someone wants to steal and everything else. The issue today is that security and risk professionals are putting data controls in place around the data they think is most valuable and not necessarily around the data that is the most valuable to those who are out to steal it --or so-called toxic data. Toxic data can be expressed as the equation 3P + IP. The three P's stand for personally identifiable information (PII), personal health information (PHI) and personal cardholder information (PCI); IP is intellectual property. To improve your data protection, it's important to do the following:
- Know your data. Too often, organizations create data policies without a clear understanding of feasibility and purpose of the data within their business. They themselves are in the dark about their data -- from knowing what data the business has to where the data resides. Knowing your data helps when it comes to creating appropriate policies and automation where applicable.
- Establish a culture of security and privacy. This is where continuous improvement has an important role. By building a culture of security and privacy and the key processes to achieve this, security leaders can help the organization come together more cohesively to apply and progress through the different phases of a security framework. Consider this a social responsibility as well. Implementing the framework is one part of this vision, while corporate culture and behaviors are a much larger part. Corporations must build a culture of respect for individual privacy in how they obtain, use and store personal information of individuals.
- Focus on two key metrics: intrusion and exfiltration. There are a host of other types of data security and privacy metrics that are valuable to track. However, tracking intrusions and exfiltration is paramount. Intrusion: Is there malware present or someone probing the network and systems who should not be there? Exfiltration: Did data leave the organization? Intrusion in itself is a cause for concern that warrants attention, but exfiltration is a serious liability that requires action. These are the two security metrics that are most likely to align policies and practices to help empower security employees to do the right thing -- and provide incentives for the organization to allow the security team to do so.
More tips from Forrester Research
Forrester: CRM strategy for the age of the customer
Forrester: Improving customer experience
Forrester: Using mobile computing to optimize business processes
Here are three key processes for engaging the organization and using continuous improvement to start changing the culture and behavior.
Speak the language of business to align incentives. Any CEO will tell you that driving business growth and revenue are top priorities. Every initiative that business units put effort into will revolve around and help support these top-line priorities. Security should too. This alignment of security with business goals shifts security and risk from an IT-specific responsibility to a shared business issue and helps drive security and privacy from the top down.
Redefine data ownership to spread security and privacy mindfulness. Security does not -- and should not -- "own" an organization's data. Data holds the most value to the business units that collect, handle and use it. Communicate to the business units that it is in their best interest to help the security team ensure their data is protected and used appropriately. Clearly define data classification roles and responsibilities within your organization. All employees have a role and responsibility in data control, whether it's creating, using, owning or auditing it.
Cultivate "right choice" decision making. Focus on particular issues rather than general security issues. Produce targeted security awareness training that is relevant for employees beyond the work environment. Foster an environment where speaking up is not just acceptable, but encouraged. When employees speak up about a suspicious request or ask a question relating to data privacy practices in a marketing initiative, you're on the right track.
Heidi Shey is an analyst at Forrester Research serving security and risk professionals.
This was first published in September 2013