Cloud must start with governance

Netskope

“The post-digital era is upon us. People are adopting new technology both quickly and completely, and whether they’re customers, employees, or even threat actors, they are beginning to outpace enterprises in their digital transformations. They are more knowledgeable about technology itself and how companies use it, and are becoming selective and demanding of what they adopt, challenging companies to work with them or adapt to them in different ways.” – Accenture Tech Vision 2019

Connectivity to information and data is now ubiquitous and expected by all digital consumers. People demand instant communication, real-time interaction and continuous gratification using technology today. This interaction with interconnected systems generates a massive amount of data that is stored everywhere, sometimes without organization knowledge or control. Many CISOs state that with the emergence of cloud and mobility leaves their organization “running blind”.

The evolution of this technology combined with the growing expectations of employees and consumers highlights that data is becoming a very strategic asset and topic. However, many organizations fail to look at this topic holistically. In the context of cloud environments, typical questions include “What do you do with all this data? Where do we store it?  How are we integrating with it? How do we secure it?” and more. The traditional answers to these pertinent questions were always addressed in a very siloed manner, based on disparate tools and processes. Organizations and departments have to work together to provide the right answers to these questions.

As Joe McKendrick stated in a recent article, “Many executives view data as a ‘commodity,’ just as oil or electricity. [However] Data is the single most important differentiator in how companies innovate, serve their customers, and gain insight into their markets. Data is not the new oil.”

It is clear that technology is not the primary problem and that organizational ineffectiveness to properly manage people and incorporate efficient processes is. Delphi Group and David F. CEO of Wasabi Technologies, in their latest book “The Bottomless Cloud” state that while technology is widely available, business leaders need to expand their thinking. “Your business is data; it defines your market, it’s your competitive advantage, it drives your innovation, profitability, and customer experience,” they observe. “Our businesses are no longer constrained by the physical limitations of data storage and access, location or bandwidth.”

Many Organizations still do not put enough effort into understanding the level of RISK that technologies such as cloud and mobility introduce. Interconnected ecosystems utilizing these technologies widen the attack surface seen and targeted by threat actors. While most organizations still look at cybersecurity as strictly an individual, corporate effort, they now must include growing ecosystem dependencies as part of their own security posture and make security a fundamental component of how they build those ecosystems.

These ‘legacy’ organizations are not addressing RISK properly. Data is everywhere and continually growing, typically in an uncontrolled manner.  

In a recent post, I called cloud “The perfect reset” and here is why. It is a perfect driver for enterprises to begin implementing a proper, modern security program from scratch. As my good friend Dustin Wilcox, CISO of Anthem, likes to say “While the strategic security objective is still the same (e.g. rapidly contain security incidence, minimize attack surface and complicate unauthorized access) the tools and tactics change”. So how do we apply this strategy in the cloud?

While more and more CISOs are starting to realize the business value of the cloud and its level of security, it is not about leveraging technology and process from the internal network looking OUT but, taking a different approach and start looking from the public cloud IN.

Everything starts with data! The most common denominator in any business is a data governance model. This is step one. Data governance must be incorporated into the business strategy. While data strategy defines how an organization achieves specific business goals through the strategic use of its intangible assets (data), data governance focuses on a management approach which establishes decision rights regarding that data, and often designed to minimize risk exposure within an enterprise. This is imperative for every business today, especially when they decide to move to the cloud. If you establish this pillar from the beginning, you will be better off.

Data governance should have clearly defined policies, procedures, processes and standards that everyone must abide by – from classification of data to handling requirements and even ever-changing threat modeling concepts. Every employee should be data security aware. While the level of that awareness might vary based on their work responsibility, but they should understand the basics at the minimum. What is that minimum? Well, that is up to the data governance team to define. It’s every employee’s responsibility to understand the impact of potential data loss and corresponding negative consequence to their business and brand. We need to start moving away from thinking that it is a company’s responsibility to protect everything. We – the digital consumers –  are an integral part of the company and it is our responsibility first.

In closing, it is important for every enterprise to think big, start small and continually move forward. It’s imperative to focus on addressing business challenges through the more efficient use of data and continue educating employees on how to safely use the data they work with on a daily basis.

To build a resilient, rewarding future, start with the right data governance model. Success starts at the top, and so does failure.