Every year, I say I hate prediction posts. And yet every year I write one. This year I'm converting my information security predictions into actionable advice.
Here’s a look at what I think the big IT security must-do’s of 2019 should be.
- Minimizing risk should take precedence over building stronger walls.
- Recognize the difference between privacy and security.
- Pay attention to security requirements and risks associated with Office 365 migration.
- Use improved file analytics tools to help minimize risk.
#1. Minimizing risk should take precedence over building stronger walls.
We’ve been building stronger walls to protect data for decades. But the list of companies that experience data breaches continues to grow. Target, Anthem, Equifax, Marriott. Shall I continue?
The idea that we can build walls capable of preventing all breaches (or even most of them) is long outdated. Only the least sophisticated chief information security officer (CISO) believes that he or she can protect their data most of the time. That doesn’t mean we should give up, of course. Quite the opposite: We need to be ever vigilant about protecting our data. But it does mean we need to be realistic about what we can and can’t do.
CISOs shouldn’t strive to stop breaches from happening altogether. That’s an impossible standard to live up to. What they should do is look for ways to minimize the risk associated with (inevitable) breaches. That’s a goal that is possible to accomplish.
The first step in minimizing risk is to determine whether your company has sensitive data that is unmanaged on repositories like shared drives or SharePoint platforms. It’s also a good idea to identify any database applications that you weren’t aware of. They probably aren’t being patched, and who knows what data they contain.
Finally, you should determine how much stale and junk data your company has in its systems because, among other things, maintaining that data detracts from your ability to protect the really important information.
Those are important and difficult questions that you need to address if you want to manage information risk. They were top of mind in 2018 (or should have been) and should continue to be so in 2019.
#2: Recognize the difference between privacy and security.
Many organizations treat privacy and security as if they were the same thing, much to the detriment of both efforts.
Security should focus on the day-to-day details of protecting information; that is strengthening firewalls and endpoint security systems, deploying data loss prevention (DLP) software, implementing access management systems, etc.
On the other hand, privacy is (or should be) a higher-level concern associated with enterprise risk. Whatever security technology an organization uses is tangential to the mission of maintaining privacy.
Privacy strategies should take into consideration the risk that sensitive information poses to an organization in light of privacy rules, regulations and standards, and internal corporate policies.
In the past year, an increasing number of organizations has begun to codify the distinction between privacy and security, either by hiring privacy officers whose roles are separate from those of CISOs or by more clearly delineating the difference between information security and privacy.
Either way, it’s important to recognize the difference. I predict more organizations will move that way in 2019.
#3: Pay attention to security requirements and risks associated with Office 365 migration.
The Office 365 train is a-runnin’. It will take everyone in the Fortune 1000 with it in the next 18 months. And when Microsoft turns off the on-premises option, look out — lots of companies will be scrambling to figure out what to do.
Complicating the problem is the fact that, historically, very few enterprises have considered the security requirements (and associated risks) an Office 365 migration brings.
That’s changing. Most companies I’ve talked to in the past six months are acutely aware of the security and privacy risks of a move to Office 365, but they struggle to quantify them and formulate plans to address them. I think they’ll figure out ways to handle that challenge in 2019 — mostly because they have to.
#4: Use improved file analytics tools to minimize risk.
It is impossible to minimize security risks without tools that help you assess the importance and sensitivity of all of the information you have.
For example, asking users to open every document on a shared drive to find out which ones contain confidential information is a nonstarter. That would take too long and cost too much.
There are, of course, software tools that are designed to do the job, such as the auto-classification tools that have been available for over a decade. But in spite of the claims of the software vendors, the promise of true auto-classification is pretty much unfulfilled.
But while auto-classification systems may have failed to live up to their potential, file analytics (using regular expressions) have the ability to interrogate content and provide insight.
File analytics tools have a variety of interfaces—and price points.
Make no mistake: This is dumb technology. You tell it what patterns to look for (for example, “###-##-#### = Social Security number”), and it works — well. Under the hood, it’s all the same Israeli code, but the offerings are packaged with a variety of user interfaces (that may or may not meet your needs). Moreover, file analytics tools are available in a wide range of price points: from $20,000 to $30,000, to more than $1 million.
The bottom line is that file analysis technology has arrived and is ready to help you take stock of the information you have. That will help you adopt appropriate security and privacy measures. I predict that organizations will increasingly adopt this technology to assess—and minimize—security risks in 2019 at whatever price point.
It’s important to implement these four information security must-do’s in 2019.
I hope that you find my take on 2019 IT security trends and must-do’s valuable, and that it will help you figure out how to address your security needs over the coming year. If you'd like to read in more detail, and begin creating an actionable plan, download our white paper: Transforming Information Security with Information Management.
Note: A version of this post was first published in CMSWire.