Analysts Evolve, Data-Centric Security Devolves

I am pleased to announce that this is my inaugural post on the Forrester SRM blog. Not only that, it's the day that my first research report went live on the Forrester site.

About me: I am a long-time Forrester fan. My first exposure to Forrester came back in 1994, when I was a lowly systems analyst figuring out how to build IT systems to manage trucks and warehouses. I always loved the Forrester writing style: interesting data, strong prose and solid recommendations -- written by people utterly unafraid to take tough positions. And now 15 years later, here I am trying to do the same. I'm pleased to be here, working with such a talented team of professionals!

My first report, called Data-Centric Security Requires Devolution, Not a Revolution, begins by talking about how securing enterprise data has become a top priority for enterprise CISOs. By "data" we mean structured and unstructured bits of information sprinkled all over the landscape: in databases, documents and e-mails, residing on servers, laptops, desktops and mobile devices.

All of the enterprise's data must be secured... that is obvious. Enterprises have been trying to do this for years with e-mail filtering, hard disk encryption, data leak prevention (DLP) and other technologies. Every few years, another hot technology emerges. But what's less obvious is that the accepted way of tacking the problem -- making IT Security the primary responsible party -- isn't necessarily the most effective way to do it.

In the report, I take the position that devolution of responsibilities from IT Security to business units is the most important success factor. I'd urge you to read the report for yourself. But in short: as long as data security is just "an IT thing," it's virtually certain that the most accountable parties (BUs) will be able to wash their hands of any responsibility. Depending on the organization, the centralized approach tends to lead to two scenarios:

(1) IT throws up its hands, saying "it's too hard!" -- guaranteeing that data security problems breed like rabbits
(2) IT dials up the data controls so tight that end-users and business units rebel against or subvert the controls -- leading to even worse problems

What's worse? No controls, or too many? The truth lies somewhere in between, and results vary widely depending on who's accountable: the boss you already know and have a relationship with, or an amorphous cost center whose workers don't know what you do all day. Your boss knows what work products are appropriate to protect, and what aren't. IT Security's role should be supply the tools to enforce the businesses' wishes, not operate them themselves.

Want to secure enterprise data? Stop trying so hard, and devolve!

Categories:

Comments

re: Analysts Evolve, Data-Centric Security Devolves

You should also consider that the basis for determining business data flows are the business rules, which are often framed in terms of trust relationships within and between groups. Granular access policies (and enforcement) are impossible without this input from the business units.

re: Analysts Evolve, Data-Centric Security Devolves

The ISO/IEC 27001 framework of controls has long specified that a business owner be assigned as a "data owner" to every information asset. This data owner is accountable for the security of the information asset and works with Information Security and IT to ensure that the necessary controls are in place to preserve the confidentiality, integrity and availability of the asset. I have found that conversations with business owners that are about "risk" vs. "security" are far more productive towards building understanding and commitment for the data owner role.