Whether it’s a breach of privacy rights or data security, you can’t transfer legal or reputational liability to a third party
Today, savvy customers worry about their privacy and a business’ ability to protect them from cybercriminals, fraudsters and surveillance.
To position data security and privacy as your competitive differentiator, CIOs must proactively protect customers, employees, and IP from complex privacy abuses and more sophisticated cyberattacks.
Now is the time to work with your Chief Information Security Officer (CISO) to reframe cybersecurity and privacy as more than cost reduction, and to position the firm as a privacy champion.
Companies in the intermediate phase of this journey should automate privacy workflows to embed privacy in the development of new products and services; deploy technical capabilities to ensure privacy and security policies travel with data that you share with third parties; and automate exfiltration controls.
The technologies required span four areas: data governance, data security, cloud governance, and technology innovation.
Data governance: Continuously map and understand risks to sensitive data
Whether it’s a breach of privacy rights or data security, you can’t transfer legal or reputational liability to a third party. You must maintain control and knowledge of the data that you share, use technology to reinforce process, and never assume trust. To do this, companies should:
Streamline and automate privacy management workflows
Continuously maintain data inventory and visualization of data flow mapping
Continuously map user access and behaviour and automate customer data controls
Aggressively archive and defensibly delete data
Detect and respond to breaches within 72 hours with automation and orchestration.
Data security: Quickly detect and stop breaches of sensitive data
In the intermediate stage, tech leaders move to a data- and identity-centric approach and layer on more-sophisticated capabilities that will both accelerate and automate breach detection and response. With these more-advanced Zero Trust capabilities, security teams can stop more-advanced intrusions and attempts at data exfiltration, and when they can’t, the speed of detection and response and the segmented nature of the network limit the damage. To do this, companies should:
Create more-granular microperimeters of control around sensitive data and apps
Implement two-factor authentication (2FA) and privilege identity management (PIM)
Deploy security analytics solutions to monitor network and user behaviour
Develop capabilities to identify, prioritize, and remediate all critical vulnerabilities
Automate repetitive low-risk tasks in the security operations centre.
Cloud governance: Develop a comprehensive strategy for ‘Cloud First’
Here, your comprehensive cloud security strategy matches your firm’s “cloud-first” intentions, addressing security to, from, and in the cloud. Here’s what that means for companies:
Control access to cloud workloads based on user, device, role, and sensitivity
Deploy tools that provide visibility, analytics, and detection for cloud workloads
Deploy secrets management to avoid transferring sensitive data
Add additional protections for fast-moving and legacy applications.
Tech innovation: Protect the brand from advanced attacks of the data economy
The amount of software in your environment has exploded, and that doesn’t just mean the applications you are familiar with. For example, with emerging internet of things (IoT) solutions, each IoT sensor in your environment — and each connected product you make — adds more software that needs securing.
The difference is this software has hardware wrapped around it. IoT that connects the products you make allows your firm to differentiate on customer experience, but it also creates massive risks for your brand. Each emerging technology has an increased attack surface, and the data you collect is now at risk — sometimes in unique ways. The quality of your brand is now defined by the quality of the software and the quality of the hardware. Here’s what companies should do:
Deploy brand protection and monitoring tools
Automate application pre-release security testing
Make mobile and IoT applications tamper-proof
Guarantee the fidelity of web applications and workloads
Operationalise open source consumption by application development.
It is important to continuously map and understand risks. CIOs and technology leaders must ensure that security travels with the data and position data security and privacy as competitive differentiators. Firms must move to proactively protect customers from complex privacy abuses and cybercriminals. Through the adoption of “cloud first” strategy and protecting the brand from the advanced attacks of the data economy, organisations would be taking a step in the right direction.
About the authors: Jeff Pollard is VP and principal analyst; Stephanie Balaouras is VP and research director, and Amy DeMartine is principal analyst at Forrester
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.