At next week’s North America ISRM/IT GRC Conference, I’ll be taking a different approach to IT risk and exploitation, addressing the light and dark sides of data’s nature during my presentations titled An Era of Data—The Nature, Use and Flow of Data and An Era of Data—Challenges.
Far too often, our goal is buying the solution-du-jour—the latest in anomaly-detection, data-loss prevention, antivirus/malware, white-listing, or the fastest security appliance.
Unarguably, identification, mitigation and remediation are our bread and butter. But too many of us miss the fact that that “cold” cyberwarfare is rampant and the casualties are always some form of data.
The answer lies in sizing up your assets, not your tool budget.
Current businesses—from SMBs to large enterprises—have become vast repositories of interconnected data. Few fully realize the depth and risk their own content has achieved. The foresight necessary to moderate collection, management, usage and inevitable disposal has changed at a blinding pace. Schools of thought emerge, expand and are supplanted just as rapidly.
As humans we ingeniously adapt, establishing new uses and connections among previously disconnected bodies of data. Inferences driven by market value and opportunity spur business forward to success. But the classic issues of security lag behind implementation. Though many efforts are made to secure data collection, storage and management, they are readily outstripped by the rush forward to see if we can integrate everything. And we often forget to ask what we should integrate.
Considering the goal of ensuring fair use and safety, we must remember the solution is dependent on how you “view the data.” The perpetrator’s view is simple: reach the cash, or in this case, the new cash (data). Defenders employ countermeasures, but such solutions always have a “solvent” waiting to re-expose your need if they are only answers to an avenue of attack.
The root of most failures is not accommodating for the dynamic nature of the resource, not fully understanding its use, and not fully understanding the user community’s need and meeting it.
During the two sessions I’m hosting at North America ISRM/IT GRC, we’ll discuss the “light” and “dark” sides of data, seeking an understanding of data’s nature in a changing world. We’ll also examine numerous cases of how data are exposed, starting at creation, until its untimely “theft.”
See you in Las Vegas!
John “Jack” Callaghan, CISM, CISSP, CIPP
Senior Security Researcher, StillSecure
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.