It’s The Data, Stupid!

Published
June 26, 2022

2 min read

Sean Steele is co-founder and managing
partner at Infolock.

In This Article

Join Our Newsletter

Follow Us

Tags

Data is notoriously messy. It’s clear most organizations have lost control of it – or, never had control of it in the first place. We’re stockpiling massive amounts of data in our unstructured and structured repositories, keeping it indefinitely, and bleeding it out through accidental loss, careless (but well-intentioned) sharing, unfettered collaboration, and insider theft. We don’t know what we have, who’s using it, how, or why. And forget protecting our most important data; that’s a faint, and distant, goal.

Data, and people, are the only things that really matter in this new IT landscape of borderless networks, mobility, and Cloud everywhere. All of our traditional infrastructure is changing, or going away, very soon.

If we want to control our data, we need to begin by understanding what it’s become.

Pork bellies, gold, and… data?


Data has intrinsic worth, not unlike other valuable commodities (soybeans, wheat, crude oil). There’s a worldwide market for it; you can buy it, sell it, and trade it.

A century ago, oil titans like Standard Oil, British Petroleum, and Royal Dutch Shell ruled the global economy. Now, data has outpaced oil as the world’s most valuable commodity, according to the Economist. Alphabet (Google’s parent company), Amazon, Apple, Facebook, and Microsoft are now the five most valuable companies in the world. Together they raked in $25B in net profit in the first quarter of 2017 alone.

What connects these new data titans? What is their core business? Data. My data, your data… all our data.

The new rise of an old adversary


The attacks on our data are devastating and seemingly unstoppable: spear phishing, low-and-slow APTs, targeted hacks, malware, and ransomware. The risks to attackers are minimal – many countries won’t assist the United States with investigations or extradition – and the financial upside is massive.

Ransomware is an old threat – we’ve known since the late 1980s how to defeat it. But ransomware attacks still succeed. Just ask the healthcare systems who’ve shut down their operations in the wake of recent ransomware attacks, and then paid the ransoms to get their systems back online.

Why is ransomware enjoying a successful, frightening renaissance? Because organizations 1) don’t know what their important data are, 2) don’t back up their most important data, and 3) don’t test their data recovery procedures.

Data backup and recovery isn’t sexy. It isn’t a shiny new tool or a magic bullet – it’s a basic business best practice. And we ignore it at great peril to our companies’ continued operations.

The enemy is us


The IT security industry – vendors, practitioners, analysts, academics, journalists – continues to play to a supply-side mentality about threats, while virtually ignoring the realities about demand-side data protection and data management.

How much attention do hackers and malware get? Data breaches? Lots of attention, right? Now what about building an in-house data governance function that understands data throughout its various lifecycles and enlists support from different business units and functional areas?

Crickets, right?

Our compliance-as-security worldview emphasizes buying technical tools and solutions – mainly focused on reactive threat detection and correlation – but fails to deliver the expertise, governance, staffing, integration, enforcement, or ongoing care-and-feeding needed for proactive data management and protection.

Our policy makers and standards experts aren’t helping the situation; no major information security controls framework focuses on data in its numerous dimensions (discovery, retention, access, ownership, loss prevention, encryption, archiving, etc.) as much as on software and hardware assets, vulnerabilities, networks, server hardening, patching, perimeter safeguards, security management practices, change control, and the like. Are those aspects important? Of course they are. But, in world in which data and people are the only future constants, we’re focused on the wrong things.

To me, the failures of our IT security industry echo those of our country’s nearly half-century-old Drug War. We’re attacking supply (threat) when we should be focused on demand (protection).

Attacks will never stop occurring, so long as our data has value. Never. Let’s accept that fact and move forward intelligently.

Back to basics


We need a new and simple plan for wresting back control of our data. This plan must be focused on getting to know – and really understanding – data:

  1. Know why you have data – understand its business value
  2. Know how your data is generated and collected, processed, and transmitted
  3. Know what your data is, where it is stored, and how to discover it (including for legal purposes)
  4. Know who owns, has access to, and is using your data (including third parties)
  5. Know how old your data is and whether anyone has used it recently
  6. Know how your data is backed up; do you test its recovery?
  7. Know how to classify your data and why (e.g., archiving, encryption, deletion, external compliance)
  8. Know how to detect and prevent data loss, including in Cloud and mobile applications
  9. Know when and why to get rid of data and how to ensure proper decommissioning
  10. Know what your data is worth and how to monetize it

Our ten data management principles aren’t meant to supplant your current information security or risk management priorities, but they should clearly inform and strengthen them. If you’re like most organizations, you’re going to discover major gaps that cut all the way to the core of who you are as a business.

One common gap we see is not having a clear data classification and retention program in place at the corporate / organizational level. This gap leads to ever-growing storage needs, serious access control issues, and an inability to remove and delete stale data over time. The situation is even harder to unwind when much of that data are sensitive, confidential, and regulated.

What’s most concerning to us is the “surface area” that’s left in place, and often exposed, when an attacker gains access to those data stores. Data are the soft, gooey insides to that hard, and thin, shell.

Growing your knowing


G.I. Joe said, “knowing is half the battle”. I’d suggest it’s much more important when it comes to our data. Knowing is everything.

Once we understand the size and scope of our data challenges, we can start to educate our stakeholders and plan for improved management and protection. In our view that change must be: 1) incremental, 2) measured, and 3) meaningful. It’s critical to note that our goal shouldn’t be wholesale or rapid change – inevitably we’ll create friction with established business processes and virtually guarantee pushback from the very people from whom we need the strongest support.

Rome wasn’t built in a day and our data management challenges aren’t going to be solved overnight. Let’s embrace the long, slow haul. It’s not shiny, slick, or new, but it does work. In truth, it’s the only path to success.

Related Posts

Flip The Script: Let The Attackers “Win”
What does it look like when organizations do their data security and risk management homework upfront,

2 min read

April 5, 2023

Cybersecurity Is Dead — What Now?
We must stop insisting cybersecurity can "win" the war against cybercriminals, because we've already lost.

2 min read

March 10, 2023

4 In 4: 4 Insights From My First 4 Months At Infolock
After four months on the job at Infolock, I want to let prospective customers and employees know.

2 min read

April 7, 2021

Challenge The Status Quo
Quick fix technology solutions aren't a substaitute for hard work and careful planning.

2 min read

January 16, 2023

Data Breach Cynicism Takes Hold
In more than 20 years of working in the IT security industry, I’ve helped literally hundreds of companies

2 min read

November 14, 2022

Ciso, We Have A Problem
Since 2001, I’ve worked with hundreds – even thousands – of infosec practitioners: analysts, engineers, technicians,

2 min read

August 17, 2022

It’s The Data, Stupid!
Data is notoriously messy. It’s clear most organizations have lost control of it – or, never had control of it in the first place.

2 min read

June 26, 2022

Peak Vendor: Reclaiming Infosec Priorities And Budgets In The Age Of Big Marketing
I’m not sure when the bubble began. Three years ago? Five? Security needs

2 min read

May 3, 2023

Banishing The Backseat Drivers
If you’re in security, you know how

2 min read

March 30, 2022

Vendors Know You Too Well
Could you imagine walking into a car dealership without:

2 min read

January 15, 2022