February 22, 2012

Last Updated on February 22, 2012

Can’t protect what you don’t know about.

Had an interesting conversation this week with the CISO of a large bank. They were interested in moving towards ISO-27001 certification and we were talking about the challenges of conducting a “meaningful” risk assessment in such a large and distributed organization.
As we were talking about the merits of information and process centric risk assessment using ISO-27005 (as opposed to asset centric) a bemused smile spread across his face. He pointed out that with the number of acquisitions the bank had made over the last few years that he really wasn’t certain about all of the relevant data that was critical to the risk assessment.
As larger organizations look to comply with “information” specific laws relating to PII and PHI or look to align themselves with security frameworks like ISO-27001 or HITRUST being able to identify sensitive data in both structured and unstructured forms is essential.
I suspect that the next few years will be good to companies like Varonis and Gobal IDs that produce tools that simplify the process of automatically identifying critical data and support organizations’ governance requirements.