Who You Gonna Call (For DataSec)?
Published 03/10/2023
Written by Ravi Ithal, Cofounder and Chief Technology Officer, Normalyze.
Originally published on Forbes.
My title plays on the refrain of Ghostbusters, a #1 hit dance/pop song in a blockbuster comedy film with a trio of parapsychologists who set up a ghost removal service in New York. Cybersecurity professionals may wonder if our jobs are a bit like finding ghosts, chasing scraps of evidence that might reveal mischief lurking somewhere out in a cloud. But cybersecurity is no laughing matter—it gets deadly serious if someone steals your company’s sensitive data.
So, before we boogie down, let’s seriously consider the question: Who You Gonna Call...for DataSec? In most organizations, this person is a ghost themself—there’s no one to call because they aren’t there or don’t know what to do.
DataSec Is a Huge, New Challenge
To be clear, DataSec is about securing sensitive, regulated, or proprietary data in modern environments that have “shifted left” to cloud-native apps built with microservices.
Securing data in cloud-first environments is amorphous compared to legacy monolithic applications running on a server with one database physically housed in the on-premises data center. In the past, you could see where the data resided, easily control physical and logical access to the data and take comfort in a slow, predictable development process that minimized risk of data theft or exposure.
Modern environments are radically different. DevOps teams churn out multiple changes to apps every day with a mix of proprietary and open-source code. Apps consist of dozens or even hundreds of self-contained microservice modules. Each microservice calls its own data store. A variety of data stores creates an exponential number of potential access relationships. Where a legacy application has one database, a modern enterprise app can literally have dozens of data stores operating in multiple clouds on virtual devices that spin up and down in seconds. Virtual, yes, but it’s a very real and hellacious scenario for finding and securing sensitive data.
Finding DataSec Doers And A Leader
I doubt any organization has planned for a dearth of DataSec professionals, much less being without anyone to lead the charge. “Moving at the speed of DevOps” is causing some unforeseen fallout for cloud data security. Most organizations start with what they know, which is securing the infrastructure that houses and runs the data. It’s kind of an extrapolation of what everyone did when systems ran on premises and security strategy was all about “castle and moat.”
But time has run out for excuses and every organization should immediately consider how its data security posture has changed. If you’re all in on the modern approach, your organization’s next InfoSec hire really should focus on DataSec.
Before you look outside the organization, consider who’s already on board. Provided they have the right tools, I believe some InfoSec professionals are well positioned to quickly learn about DataSec and leverage what they know in this new world. In order to find and protect cloud data, they need to understand cloud architecture, how data flows, what kind of data is there, who has access to the data, and so forth. People with skills that let them think like a hacker (e.g., penetration testing) will do fine with DataSec.
Lack of DataSec leadership can plague an organization of any size. Even a tech leader can stumble over DataSec. For example, recent U.S. Congressional testimony by whistleblower Peiter “Mudge” Zatiko, an ex-CISO of Twitter, described two basic issues. “They [Twitter] don’t know what data they have, where it lives or where it comes from. And so unsurprisingly, they can’t protect it.” Mudge (as he likes to be called) also said, “employees then have too much access to too much data.” Mudge said a sampling of “petabytes” of “just recognized” data included “personally identifying information, phone numbers, addresses.” He continued, “half the company has access to the production environment,” which creates a data security nightmare.
Revealing the DataSec Posture, Warts And All
DataSec leadership (or lack thereof) is soon to be even more prominent with cybersecurity disclosures required of public companies by the U.S. Securities & Exchange Commission. A proposed rule will require disclosure of a company’s policies and procedures to identify and manage cybersecurity risks; management’s role in implementing cybersecurity policies and procedures; board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and updates about previously reported material cybersecurity incidents. And no more hiding details behind obscure language: All disclosures must be done with Inline eXtensible Business Reporting Language.
As you can see, DataSec posture is quickly rising to prominence at the highest levels. And it’s about time! Consumers, who give up that sensitive data and are at the mercy of corporations that collect, process, hoard, trade and sell their information, already know DataSec is a huge problem. They depend on you to keep their data secure.
For these reasons, it’s vitally important for every organization to take stock of DataSec. Let’s dispense with the ghosts. If someone is not currently in charge, get someone in place ASAP. The DataSec leader must be someone who wakes up every day and thinks about cloud data security.
When you hear the question, Who You Gonna Call...for DataSec? there should be no pause of uncertainty. Boogie on.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024