Chapter 1 - Why an EDPP

Subheading

Cyber Risk and Resilience Series: Part 1Why You Need an Enterprise Data Protection ProgramEvolving Risks Require a Solid Security Strategy

Feature content

This is feature content

Risk is insidious—but mitigating risk and securing your data have never been more critical. Today, emerging security threats are evolving just as quickly as the technology to protect data. And worldwide regulatory pressure, such as that presented by Europe’s General Data Protection Regulation, is changing the ways we store and manage data and how we approach security.With these factors in play, there’s never been a better time to develop an Enterprise Data Protection Program (EDPP)—a planned, proactive, senior executive-led approach to enterprise data protection that can keep your organization resilient.The key here is to mitigate risk intelligently. Without a proactive approach to enterprise data protection, your security team could begin to feel pressure to protect everything equally. But let’s be real—you don’t have to protect every computer, database, application, and device in your company at the highest level or from every possible attack. Some data is more important and risk-prone than other data.Putting an EDPP into place helps you prioritize the enterprise’s security policies and budget, so you can determine the right level of protection for all the data in your business. And your CISO can get to work building up your security architecture and resilience services where they’ll be the most effective. In other words, addressing the most critical risks with the most powerful tools.[CALLOUT 1]
The U.S. Securities and Exchange Commission (SEC) has called for more extensive security protocols and urged boards of directors to integrate data protection strategies into their broader corporate risk management practices. Now more than just a call, the SEC has levied the first fine for inadequate security.[CALLOUT 2]
World Economic Forum analysts estimate that in just a few years, cybercrime damages will reach $6 trillion annually, making cyber attacks more profitable than the market for all illegal drugs combined.
[SIDEBAR]It All Starts with a Data Inventory
Before you can make smart decisions about how to protect your data, you need a thorough knowledge of what data you have and where it is.The main function of the senior leadership EDPP team is to gather information and set policies that will help the CISO appropriately protect what needs protecting. The team will develop a data inventory that will inform security policies and cyber resilience budgets. The data inventory begins with a record of all business data, as well as the following information:• Who owns the data
• What the purpose and value of the data is to the enterprise and to possible attackers
• What obligations come with the data
• What risks this data brings to the enterprise
• Estimates of the cost of breaching this data and how likely it is for a breach to occur
• What mitigations will be put in place to reduce the severity and likelihood of risks and what those mitigations cost
• Who owns implementation and operation of the mitigations[SIDEBAR]Getting Started from the Top Down
A classic problem in the enterprise is that security has been typically driven from the bottom up, with little effort to discuss the problem in the business language of risk management. In fact, a survey showed that only 45% of boards participate in overall security strategy. This fact just highlights the typical corporate attitude that cybersecurity is a cost center meant to reduce risk instead of enable business growth—a belief confirmed by 74% of respondents in a Cisco survey of more than 1000 executives. When executives look at cybersecurity as a drain on resources, it can often result in siloed security measures being implemented without any integrated strategy.Those siloed, un-integrated security programs just aren’t cutting it these days. Gartner experts estimate that by 2020, IT-sponsored (bottom-up) information security programs will suffer three times as many significant breaches as top-down programs sponsored by business leaders.The EDPP is that top-down security model created and driven by business leaders. It’s more successful in protecting critical data because it is based on a holistic, enterprise-wide approach that takes all data into consideration. It also can be more successful because it is championed by senior business executives—the very people who are responsible for creating budgets and governance policies.With C-level awareness, buy-in, and executive willingness to oversee and drive the program, your data inventory and subsequent protection plan will be living documents written in the language of business that describe business requirements and the funding necessary to meet those requirements.Assembling the Senior Executive Team: Some Considerations
Creating an EDPP requires the organization of a cross-business committee at the senior leadership level. All business units and cost centers should participate, and all data owners must be represented. The Legal department should participate because it is familiar with the unique contractual and legislative obligations the enterprise has with regard to data protection, and internal auditors should have a seat at the table as well. This is a standing team. Because business changes over time, so will the data inventory. As the inventory evolves, the security architecture must evolve with it.Do the Work, Reap the Rewards of Resilience
Unplanned-for risk can damage your brand, cause legal issues, and affect business performance. Unmanaged risk causes lost productivity, missed opportunities, and direct, unbudgeted costs. By creating an EDPP driven by the board of directors and senior leadership, you’re setting your business up for a new era of peace of mind and increased success.Get the Right Amount of Protection
With the right level of protection for all of the data across your organization, you can reduce the number of cyber incidents, as well as reduce the impact of an incident.Lower Security Operations Costs
By determining the right level of protection for all of your different types of data, you can significantly lower security operations costs. Instead of paying to protect everything to the maximum degree, you can intelligently allot more resources where critical protection is needed and rest assured that each data asset is secured according to its value. That means fewer incidents of cybercrime, and more resilience to damage when incidents do occur. It also enables you to deploy new operational mode with confidence that each model’s risk has been evaluated and will be adequately protected.Reduce Reliance on Shadow IT
When employees know that the tools and systems they use are protected to the right level, they won’t need to turn to “shadow IT,” often cloud-based tools that aren’t officially approved for use in the enterprise. Limiting shadow IT reduces time and money spent by your IT team trying to repair the damage it can cause to secure systems.Enable New Revenue Streams
Approaching data protection as simply meeting obligations is leaving money on the table. Instead of being a cost center with no business value, a strong cybersecurity strategy can also actually enable new revenue streams in your enterprise because your confidence in the resilience of your enterprise will lead to greater willingness to deploy new business models. Better security fuels the development of digital offerings and new business models instead of inhibiting them. You’ll be a harder target and attackers are more likely to go elsewhere when they realize that.Your Enterprise Data Protection Program is a vital resource for securing data and honoring obligations to your customers, the market, vendors, regulators, and shareholders. Customers and partners who trust your organization are more likely to share sensitive information with you and more likely to form closer business ties, which can also lead to new opportunities to increase revenue and grow your enterprise in ways you haven’t yet imagined.Cyber Risk and Resilience Series: Part 1Why You Need an Enterprise Data Protection ProgramEvolving Risks Require a Solid Security Strategy
Risk is insidious—but mitigating risk and securing your data have never been more critical. Today, emerging security threats are evolving just as quickly as the technology to protect data. And worldwide regulatory pressure, such as that presented by Europe’s General Data Protection Regulation, is changing the ways we store and manage data and how we approach security.With these factors in play, there’s never been a better time to develop an Enterprise Data Protection Program (EDPP)—a planned, proactive, senior executive-led approach to enterprise data protection that can keep your organization resilient.The key here is to mitigate risk intelligently. Without a proactive approach to enterprise data protection, your security team could begin to feel pressure to protect everything equally. But let’s be real—you don’t have to protect every computer, database, application, and device in your company at the highest level or from every possible attack. Some data is more important and risk-prone than other data.Putting an EDPP into place helps you prioritize the enterprise’s security policies and budget, so you can determine the right level of protection for all the data in your business. And your CISO can get to work building up your security architecture and resilience services where they’ll be the most effective. In other words, addressing the most critical risks with the most powerful tools.[CALLOUT 1]
The U.S. Securities and Exchange Commission (SEC) has called for more extensive security protocols and urged boards of directors to integrate data protection strategies into their broader corporate risk management practices. Now more than just a call, the SEC has levied the first fine for inadequate security.[CALLOUT 2]
World Economic Forum analysts estimate that in just a few years, cybercrime damages will reach $6 trillion annually, making cyber attacks more profitable than the market for all illegal drugs combined.
[SIDEBAR]It All Starts with a Data Inventory
Before you can make smart decisions about how to protect your data, you need a thorough knowledge of what data you have and where it is.The main function of the senior leadership EDPP team is to gather information and set policies that will help the CISO appropriately protect what needs protecting. The team will develop a data inventory that will inform security policies and cyber resilience budgets. The data inventory begins with a record of all business data, as well as the following information:• Who owns the data
• What the purpose and value of the data is to the enterprise and to possible attackers
• What obligations come with the data
• What risks this data brings to the enterprise
• Estimates of the cost of breaching this data and how likely it is for a breach to occur
• What mitigations will be put in place to reduce the severity and likelihood of risks and what those mitigations cost
• Who owns implementation and operation of the mitigations[SIDEBAR]Getting Started from the Top Down
A classic problem in the enterprise is that security has been typically driven from the bottom up, with little effort to discuss the problem in the business language of risk management. In fact, a survey showed that only 45% of boards participate in overall security strategy. This fact just highlights the typical corporate attitude that cybersecurity is a cost center meant to reduce risk instead of enable business growth—a belief confirmed by 74% of respondents in a Cisco survey of more than 1000 executives. When executives look at cybersecurity as a drain on resources, it can often result in siloed security measures being implemented without any integrated strategy.Those siloed, un-integrated security programs just aren’t cutting it these days. Gartner experts estimate that by 2020, IT-sponsored (bottom-up) information security programs will suffer three times as many significant breaches as top-down programs sponsored by business leaders.The EDPP is that top-down security model created and driven by business leaders. It’s more successful in protecting critical data because it is based on a holistic, enterprise-wide approach that takes all data into consideration. It also can be more successful because it is championed by senior business executives—the very people who are responsible for creating budgets and governance policies.With C-level awareness, buy-in, and executive willingness to oversee and drive the program, your data inventory and subsequent protection plan will be living documents written in the language of business that describe business requirements and the funding necessary to meet those requirements.Assembling the Senior Executive Team: Some Considerations
Creating an EDPP requires the organization of a cross-business committee at the senior leadership level. All business units and cost centers should participate, and all data owners must be represented. The Legal department should participate because it is familiar with the unique contractual and legislative obligations the enterprise has with regard to data protection, and internal auditors should have a seat at the table as well. This is a standing team. Because business changes over time, so will the data inventory. As the inventory evolves, the security architecture must evolve with it.Do the Work, Reap the Rewards of Resilience
Unplanned-for risk can damage your brand, cause legal issues, and affect business performance. Unmanaged risk causes lost productivity, missed opportunities, and direct, unbudgeted costs. By creating an EDPP driven by the board of directors and senior leadership, you’re setting your business up for a new era of peace of mind and increased success.Get the Right Amount of Protection
With the right level of protection for all of the data across your organization, you can reduce the number of cyber incidents, as well as reduce the impact of an incident.Lower Security Operations Costs
By determining the right level of protection for all of your different types of data, you can significantly lower security operations costs. Instead of paying to protect everything to the maximum degree, you can intelligently allot more resources where critical protection is needed and rest assured that each data asset is secured according to its value. That means fewer incidents of cybercrime, and more resilience to damage when incidents do occur. It also enables you to deploy new operational mode with confidence that each model’s risk has been evaluated and will be adequately protected.Reduce Reliance on Shadow IT
When employees know that the tools and systems they use are protected to the right level, they won’t need to turn to “shadow IT,” often cloud-based tools that aren’t officially approved for use in the enterprise. Limiting shadow IT reduces time and money spent by your IT team trying to repair the damage it can cause to secure systems.Enable New Revenue Streams
Approaching data protection as simply meeting obligations is leaving money on the table. Instead of being a cost center with no business value, a strong cybersecurity strategy can also actually enable new revenue streams in your enterprise because your confidence in the resilience of your enterprise will lead to greater willingness to deploy new business models. Better security fuels the development of digital offerings and new business models instead of inhibiting them. You’ll be a harder target and attackers are more likely to go elsewhere when they realize that.Your Enterprise Data Protection Program is a vital resource for securing data and honoring obligations to your customers, the market, vendors, regulators, and shareholders. Customers and partners who trust your organization are more likely to share sensitive information with you and more likely to form closer business ties, which can also lead to new opportunities to increase revenue and grow your enterprise in ways you haven’t yet imagined.