By Chris Hines, VP of Strategy, Cyera
Nothing is better than meeting with customers and prospects who can articulate their issues as a business and security organization, from boardroom and regulatory pressures to deploying resources, including people and the tools that enable them.
Whether meeting with a large bank CISO or a security leader from a global communications company, each shares their unique focus and different challenges, but when discussing data security challenges, there are often several commonalities. For example, they usually share pressure from the top, be that the C-Suite, the Board, regulators, or all the above. And the strategies they choose all involve trade-offs. They don’t have unlimited budgets to do and try everything. They typically discuss a mash of homegrown solutions, vendor products, and outsourced managed security services.
Most enterprise security strategies protect networks, endpoints, and identities. Data security is a priority, but it is often not at the heart of security plans. With the aggressive introduction of GenAI into the enterprise, security leaders are re-evaluating their approach to data security, starting with the internal use of GenAI. There is a near-universal focus on Microsoft CoPilot and productivity applications like Slack, which can be difficult to govern when multiple instances are used within the environment.
After listening to CISOs from various industries, here are five data security challenges that even the most seasoned security leaders face as they construct plans to better protect their data.
- Understanding what data exists in their environment – This is an interesting one. Regarding their on-premises environments, most believe they have a good idea about their data footprint. But, when it comes to SaaS and public clouds, they really struggle. The data security tools they relied on for their data center locations are weak at helping discover and classify data outside their corporate perimeter. With data being so democratized in today’s workplace, they feel they would face significant exposure if data were moved to SaaS or public cloud.
- Knowing the sensitivity of their data – Many acknowledge not all of their data is equal, but they have no easy way to determine what data is most critical to their security operations. Their on-premises solutions use classification engines built solely on regular expressions and pattern matching, leading to false positives and requiring manual intervention for classification. They cannot accurately classify down to the file or object level. This is increasingly important in the age of mandatory breach disclosure rules.
- The infrastructure distribution of data – Many large enterprises have data in all three major public cloud providers (AWS, Azure and Google), SaaS (primarily a Microsoft shop), and on-premises. Most have no clear visibility into how much data exists within those environments and if there are data duplicates within their environment. These insights would unlock the ability to make strategic decisions around their infrastructure and potentially introduce additional data hygiene to remove certain data or migrate to cheaper infrastructure, thereby reducing the attack surface and data storage costs.
- The relationship between identity and data – It’s no surprise that humans, groups of humans, and non-human identities (devices) require access to business data. Many security leaders are concerned about data access. This concern is beginning to extend the discussion about zero trust in the context of secure access, endpoint security, and the identity provider space to data at rest. Zero Trust Data Access is on the horizon.
- Privacy Data Incident Response – The ability to detect data anomalies (users randomly accessing PII data), maintain PII compliance, and minimize the impact of a data incident are top-of-mind and clear challenges for security executives. The need to align breach response to relevant regulations is a must. So, too, is the ability to easily determine what PII data is impacted as part of a data incident. The Change Healthcare incident is proof of this necessity. Not knowing what PII data part of their ransomware attack has prevented the company from promptly notifying customers whose PII data was impacted. This was an eye-opening revelation for all security leaders.
Addressing these challenges requires a comprehensive and adaptive data security strategy. That strategy has to start with what is seemingly the most obvious of all: you have to know where all your data is at all times, and you need to know the risk it represents so the proper controls can be applied. Without this solid foundation, nothing else matters.
We are still in the early days of the cybersecurity industry, let alone the era of Generative AI. Data governance is now an issue of immense importance to businesses, regulators, and consumers. Much has to change in terms of how we have been protecting data. Security leaders must continue to share insights and collaborate to develop effective solutions for safeguarding their organization’s data in an ever-evolving threat landscape.