Data and privacy protection strategies must be all-pervasive in nature to address each individual element
It is essential to understand the importance of, and the difference between, both data privacy and protection. Securing data and maintaining privacy are moving targets and have legal, ethical, and, financial implications. It has become critical for CISOs to think 360 degrees for protection of each element.
Data and privacy can no longer be protected by passwords. This 360 degrees thinking includes protection from the adversaries, an overreaching authority, employees and insiders, and even protection from self. If any of these vectors remains uncovered, the job is not finished.
Protection from an overreaching authority is about governments when they take unauthorized liberties to enter the systems. Employees or workforce can deliberately or unintentionally access the information they cannot have, ranging from protected intellectual property to salary information. Protection from self refers to an accidental release of information.
CISOs need to consider all of these angles and even more to have an overall approach to security strategy. A few years ago, such an approach was not even remotely possible. However, with the advancement in technology, today it is more than just possible, but also more actionable, and more affordable than ever. It just requires a 360 understanding of the nature of data and privacy protection to have a strategy to address every individual element. Though there are some processes and technologies that can cover more than one element, it is essential to realize that most of these processes and protections secure one angle and can ignore others.
For something like a cloud CRM provider, it is necessary to understand how they protect the company’s data from their employees. Questions like -do they detect anomalies in data access? What about their privileged employees? How do they react to government subpoenas? If subpoenaed, can they release your data? How is data physically secured and in what physical locations? What is their strategy for vulnerabilities? These and some more must be asked. There are many questions like this, with no perfect answers to all of them. However, it is necessary to ask such questions for each element that is a part of the company’s system.
Embracing a 360 approach puts everything in place. It requires regular review and understanding of what are the protections needed from and for what elements. This approach also helps to keep updated with the constantly changing techniques and latest technologies.