Anyone who reads my blogs knows that I’m not highly technical. In fact, I have warned organisations against buying technology [for technology’s sake] more than I have ever recommended it. And I will continue to do so until everyone is following the pre-purchase golden rules:
- Conduct a Risk Assessment with Business Impact Analysis;
- Perform a Gap Analysis comparing your risk to your mitigating controls;
- Build a detailed list of the security functions (NOT features) you need to fill the gaps; and
- Work out how you’re going to do these things before sending out an RFP:
- Install it;
- Integrate it;
- Manage & Maintain it;
- Monitor it;
- Measure its performance against the agreed risk baseline(s)
So why am I talking about choosing a data discovery solution?
GDPR of course.
For the last 15 years the primary driver globally for security budgets has been PCI, but even that didn’t push organisations to invest in a data discovery tool. A little odd, because cardholder data could not be a more perfect use case. It is:
- either 15 (Amex) or 16 digits (Visa, MasterCard et al). Mostly anyway;
- almost entirely structured; and
- easily tuned for false positives (MOD 10, BIN comparisons, context etc.)
But you can achieve PCI compliance without data discovery tools, so why would you spend any more money on a regulation that’s nothing more than a commercial obligation? Especially when you don’t HAVE to. ‘PCI projects’ are seen as just other expense, one usually separated entirely from the other security programs. No benefit to the business means minimal investment, and it’s hard to argue with the logic.
But GDPR is a whole other beastie. This is the law now, and as consumers become better educated, the demands made on a business will only increase. You simply cannot ignore data subject requests, nor can you afford to expend the effort to respond appropriately with mostly ad hoc processes.
So where does this leave you? This leaves you with the requirements to:
- discover ALL instances of personal data in your environment;
- map all USES of personal data to your business process;
- ensure that personal data is ONLY used for purposes legitimised by a lawful basis;
- ensure that all ingress and egress flows of personal data are only to/from approved 3rd parties/countries; and
- not lose any personal data to bad guys or incompetence.
Yes, you can do a lot of this manually, or with other controls, but operationally a data discovery / business process mapping tool will make your life significantly more efficient.
It also has numerous other benefits…
[Borrowing heavily from Security Done Well, The Ultimate ROI]:
- Overall Risk Reduction – if you know what you have, where it is, and who has access to it, you have a much smaller threat profile;
- Business Transformation – Data is central to all things. The ability of an organisation to order, compile and retrieve their accurate data the fastest enables them to adjust their processes in the face of customer needs, or competitive threat;
- Competitive Advantage – Data in context is information, information in context is knowledge, and knowledge applied correctly is wisdom. In this case, wisdom may be the competitive advantage you need to stay one step ahead;
- Financial Control – All finance these days is data in context, and while data discovery / business process mapping will never be able to provide that context, access TO, and the integrity OF the data can provide a much welcome check and balance for the control of an organisation’s financial data assets;
- Avoidance of Fines / Loss of Reputation – Self-explanatory. How can you ever claim that your controls are ‘reasonable’ or ‘appropriate’ if you have little to no knowledge of your data life cycles;
- Cheaper IT Infrastructure and Maintenance – You only get real efficiency when all processes are simple, and you can only achieve simple if everything you have is appropriately baselined. These baselines are hard to achieve, and can be expensive in the short-term, but the long-term costs are significantly lower than trying to constantly work with too much (technology, data, and yes, even people);
- PCI Compliance (if this is an issue for you); and above all
- Accountability – Whether it’s to your employees, regulators, investors, or your Board of Directors, you are accountable for what happens with, and to, your data.
But where do you even begin choosing the right tool / service for your organisation?
For that I have written a White Paper that breaks down my thoughts. You can find it here: Which Data Discovery Solution is Right for Your Business.
Your feedback is welcomed.
[If you liked this article, please share! Want more like it, subscribe!]