Security Planning for the Year Ahead: Are You Hoarding Big Data?

Posted on by David Needle

Another year, another round of threats and challenges you find facing all of you responsible for security at your company or organization.

While it’s impossible to anticipate all threats in the ever-changing security landscape, there are steps you can take to be better prepared—if not also proactive—for what’s to come in 2016 and beyond.

In the first of a three part series, I want to share highlights from an interview I had with Steve Wilson, a Principal Analyst with Constellation Research.

Big Data is a hot topic. Organizations big and even on the small side are collecting far more data on their customers and partner interactions than ever before. But Wilson argues many companies are going overboard.

“There’s a lot of inadvertent big data collection where companies log everything because they have the mentality the data will come in handy one day. In effect, every customer is under surveillance by default,” says Wilson.

So what’s the harm? You may never do anything with 95 percent of the customer information you’re storing, but there it sits, a ready target for would-be hackers. Not good.

Exhibit A for why this is a bad idea is last year’s OPM (Office of Personnel Management) security breach where the social security numbers and other information belonging to millions of government employees and contractors was stolen. Wilson points out that OPM was storing personnel records that were 15 years old. “I can’t imagine a compelling requirement to access data that is 15 years old,” he says. “Anything that old, if you really want to keep it, should be archived.”

And that raises another issue, the unexpected consequences of inexpensive storage. Because storage has become so cheap, Wilson says “we’ve lost the discipline of archiving and we expect all data to be available at all times” a strategy he calls “incredibly lazy.”

Wilson suggests the New Year is as good a time as any for a “spring cleaning” of your data stores to make sure you really need to be storing everything you’ve accumulated.

So you’ve been hacked. What did you learn?

It’s always good advice to be more effective in protecting and managing your data, but as security experts have quipped in recent years, “There are two types of companies—those who have been hacked and those who don’t know it yet.”

When a company’s been hacked, analyst Wilson says most employ standard “by the book” compliance and corrective measures to an extreme.

“There is a kind of paint by numbers approach to making sure you follow policies rather than the secret sauce of knowing what you’re doing,” says Wilson.

When a big company’s been breached, there are typically lengthy audits of what procedures were and were not followed, and Wilson says the common response is to write a new chapter in the policy book.

“You’ll see things like the company discovered there was a breach because a second-level administrator forgot to patch Oracle, so let’s write a new SOP (standard operating procedure) for patching that. That’s fine as far as it goes, but it’s robotic and you don’t see the forest for the trees.”

Wilson’s advice is to be sure you’ve hired seasoned security professionals who can see the big picture and what’s needed to best secure your valuable data assets. And don’t be afraid to think outside the box.

“You need deep skills at the CTO and CISO level, and that costs money. Sadly, a lot of security efforts are underfunded,” says Wilson. “If I told a company it needs to spend two months evaluating their security, that’s a tough sell. Prevention always is.”

But regular review of your security procedures and products is essential, and it starts in-house. As Wilson puts it: “You cannot outsource responsibility.”

Coming up next

In my next post you’ll hear from the CIO at a company in the process of splitting off from its parent and the fresh start it’s making when it comes to security. 


Business Perspectives

big data analytics

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs