The Information Security discipline is undergoing a rapid and profound shift. It is expanding its focus from defending the borders from bad actors to include risk-mitigation practices so that when the inevitable breach happens, the organization can make sure its data contains as little damaging information as possible and its response processes and procedures are world class.
The Future-state CISO
A primary objective of the CISO in this new environment is to identify and secure sensitive data. Sensitive data includes protected health information (PHI), personally identifiable information (PII), and intellectual property (IP). Another concern of the CISO is “junk” data. This includes the so-called ROT—redundant, obsolete, and transitory data. This is important because the more junk an organization has on its systems, the more difficult it is to manage the important data. Given these general objectives, what will day-to-day responsibility for information management likely entail within Information Security? There are seven areas that any Information Security function or CISO will have to address:
-
Compliance Framework
-
Policy Infrastructure
-
Data Map
-
Disposition Protocols
-
Cleanup
-
Monitoring
-
Prevention
A Real-world Plan of Action
To fulfill these new responsibilities a CISO must be willing to do things differently than they do today. Here are some recommendations for how CISOs can change.
-
Assess the organizational functions which have responsibility for information management-related compliance at your organization.
-
Determine what policies and processes are required for information security to effectively manage corporate data.
-
Inventory sensitive data and ROT and identify ownership.
-
Gain consensus on how to remediate sensitive data and ROT.
-
Implement technology to remediate.
-
Monitor ongoing behavior to identify areas where the organization is exposed to the greatest risk.
-
Determine how to prevent end users from engaging in sub-optimal information management behaviors, while not unduly constraining the business effectiveness of those users.
Want to learn more? Download the white paper for further detail.
We've covered the basics in this post, but you can download our white paper for comprehensive details on how CISOs and other security professionals can tackle the expanding responsibilities for information governance.