Last Updated on January 15, 2024
If you don’t know what data you have, and you haven’t classified it, can you effectively protect it? Put another way, is the historical lack of focus on information governance a significant contributor to today’s rampant cybersecurity problems?
To explore information governance from all angles, including its relationship to information security, a recent episode of The Virtual CISO Podcast features David Gould, Chief Customer Officer at EncompaaS. John Verry, Pivot Point Security’s CISO and Managing Partner, hosts the show.
Governance supports security
“At the end of the day, when we look at information security, the first thing we need is a clear vision of what we have [to protect] and what we’re trying to accomplish,” John points out. “If we don’t have that clear vision, if we don’t know exactly what data we have and exactly where it is—which is what information governance is going to give us—and if it’s not appropriately classified, can we truly have information security?”
“My answer would be no,” David replies. “And I think [you would get] that answer from the majority of people you talk to today. But if you were to ask that question two to three years ago, [you might have heard], ‘If we do a great job at keeping the bad guys out, it really doesn’t matter what we’re doing internally.’ When we go in and talk to organizations about automating all of this, the number one question that they have is, where do I start? Because they know one thing more than anything else: that they have a lot of data and they don’t know where it is.
“If you think about that from an e-Discovery perspective, if you think about that from a cost management perspective, or if you think about that from a productivity perspective, yeah, security is a driver. But it’s really a much bigger issue than just making sure that you have controls over who can access information and in what ways,” David asserts.
Other factors in play include how (or if) data is classified/organized, where it’s stored, how it’s being processed, whether the data is complete and accurate, what regulations impact it, incident response when data is compromised, etc. A central goal with securing and governing information is to balance accessibility and confidentiality.
Defining the threat surface
“The perspective I focus on is risk management,” notes John. “There is a significant movement, when you get to [frameworks like] PCI and CMMC. Increasingly, we’re moving towards the fundamental principle of Zero Trust, which is being driven now by the NSA, DHS, the executive order… In a Zero Trust architecture, the first thing we have to define is the threat surface; or, if you think about it from a CMMC perspective, we call that an enclave. We enclave our controlled unclassified information (CUI).”
“So, the reality is that if I don’t know what data I have, and I don’t know how to classify it, I don’t know how to protect it,” rationalizes John.
If you’re concerned about cybersecurity and privacy compliance and how to maximize business value from these investments, you’ll definitely want to catch this podcast episode with David Gould.