ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Cybersustainability: Ensuring Digital Strategies That Protect Data

Cybersustainability: Ensuring Digital Strategies That Protect Data

Karen Walsh, JD, and Joe Raschke, CRISC, CIPP, CISSP
| Published: 10/8/2019 8:52 AM | Category: Security | Permalink | Email this Post | Comments (1)

Increasingly, security professionals use language that makes a distinct comparison between our physical environment and our digital infrastructures. We use terms such as “digital ecosystem,” “digital footprint,” “IT environment,” “data leakage” and “data pollution.” As data breaches continue to increase in number and severity, we need to begin thinking about how we protect today’s data for tomorrow’s future digital strategies.

What Is Cybersustainability?
Fundamentally, cybersustainability looks at data as a finite resource, similar to a coral reef or fossil fuels. Similarly, we can look at data from both the “prevent from being polluted” perspective and the “preserve the resource” perspective.

Although no official definition of cybersustainability exists, we use the following definition:

  • Adopting/maturing digital transformation strategies
  • Establishing access and governance policies that promote cyberhealth
  • Continuous monitoring to maintain data privacy/security
  • Communicating across stakeholders
  • Promoting operational resiliency

Prevent Data Pollution
When we look at cyberecosystems, we discuss the problems associated with data leakage. Data leakage includes a variety of unauthorized data transfers from an organization’s systems, networks and software, including physical, digital and intellectual. For example, a user with excess access to information can choose to download the data or remember the data, both of which are considered data leaks.

Data pollution, in this case, means the way in which data can be accessed or changed within a digital ecosystem such that it impacts the information’s integrity, confidentiality and availability. In many ways, this definition aligns with the concept of a leaking underground storage tank. Homes heated with oil often have old, outdated oil storage tanks that leak the contaminant into the soil. In the same way, unauthorized access leaks data into the larger population, undermining privacy.

Preventing data pollution, therefore, requires organizations to control user access to information using the principle of least privilege.

Preserve Data as a Resource
On the other side of our cybersustainability equation, data are also a finite resource we need to preserve and protect. If we compare data to an environmental resource such as a coral reef, the similarities become more tangible. For example, coral reefs and the organisms that live in them must be protected because few of them still exist. They are finite environmental resources. Similarly, non-public personal data are finite resources. People only have one social security number or one birth date.

Protecting data as a resource, therefore, is imperative. Organizations need to protect and preserve non-public personally identifiable information (PII) because data compromises “deplete” the resource.

Protecting and preserving the integrity, confidentiality, and accessibility of data as a finite resource requires organizations to not only monitor for unauthorized external access to PII, but also internal excess access to it.

Why Identity Governance and Administration Enables Cybersustainability
The World Economic Forum defines the 4th Industrial Revolution as a fundamental change in the way people live, work and relate to one another arising from new technologies that advance the convergence of physical, digital and biological worlds.

As we evolve our technologies during this new Industrial Revolution, we need to create forward-thinking digital transformation strategies to prevent the pollution inherent in them. We should be learning from the physical environmental pollution created by factories to prevent similar damage to data arising from the 4th Industrial Revolution.

Thus, we need to look to the new perimeter—identity—to shape our digital transformation strategies. Relying on legacy identity management solutions leaves user data at risk. Protecting data as a finite resource and preventing data pollution relies on creating a risk-based, context-aware identity governance and administration (IGA) program.

Unfortunately, managing identity and access becomes difficult for organizations with complex IT ecosystems. Managing the proliferation of user identities—human and non-person—and the inundation of access requests across often disconnected dashboards creates both a human error risk and increased operational cost. To mitigate this risk and decrease these costs, organizations can incorporate intelligent analytics with predictive access capabilities.

Protecting Today’s Information for Tomorrow’s Technology
As we attempt to meet the rapid pace of modern technological changes, we need to focus on creating forward-thinking digital transformation strategies. We can learn from the mistakes of our predecessors who led previous Industrial Revolutions. By applying environmental sustainability theory to cybersecurity, we can better protect sensitive information long term and, ideally, prevent our advances from contaminating or depleting data resources.

Read Karen Walsh and Joe Raschke's recent Journal article:

"Sustainable Development for Digital Transformation," ISACA Journal, volume 5, 2019.

Comments

Concept of data as a finite resource

Hi thanks for sharing this
The statement that ‘data are also a finite resource’ surprised me and sparked some questioning. – Thank you for this. 
This concept is presented in relation to PII and the objective of protecting the integrity, confidentiality, and accessibility of data.  These are undisputable.
I am unsure of how the concept of ‘data as a finite resource’ works out in the context of Big Data, AI, etc.  Has this been addressed in another article?
I like the way you emphasize some other key points:
• ‘need to create forward-thinking digital transformation strategies’
• ‘managing identity and access becomes difficult for organizations with complex IT ecosystems’
• ‘need to focus on creating forward-thinking digital transformation strategies’
Regards
Michael
M.Lambert at 10/15/2019 12:52 PM
Email