Nothing is better than meeting with customers and prospects who can articulate the issues they face as a business and as a security organization, from boardroom and regulatory pressures to the deployment of resources, including people and the tools that enable them. These conversations can occur in hotels around the RSA Conference in San Francisco, rooftop bars around Manhattan, and everywhere in between.
I have been fortunate to have been involved in dozens of such conversations in recent months, and I have realized the commonalities that run through them, whether with a large bank CISO or a security leader from a global communications company. Each brings a unique focus and different challenges. Each is earnest and committed to doing the best for their organization and their people.
They usually share pressure from above, be that the C-Suite, the Board, regulators, or all of the above. The strategies they choose all involve trade offs. They don’t have unlimited budgets to do and try everything. Usually, it’s a mash of homegrown solutions, vendor products, and outsourced managed security services of some sort or another.
Most enterprise security strategies protect networks, endpoints, and identities. Data security is a priority, but it is often not at the heart of security strategies. With the aggressive introduction of GenAI into the enterprise, security leaders are re-evaluating their approach to data security, starting with the internal use of GenAI. There is a near-universal focus on CoPilot and productivity applications like Slack which can be hard to govern when multiple instances are used within the environment.
For cybersecurity executives struggling to design a data security strategy, you are not alone. After listening to CISOs from nearly every industry, I learned of five primary data security challenges even the best security leaders face:
- Understanding what data exists in their environment - This was an interesting one. Regarding their on-premises environments, most believe that they have a good idea about their data footprint. But, when it came to SaaS, and to public cloud they really struggled here. The data security tools they relied on for their data center locations, were admittedly weak at helping discover and classify data outside their corporate perimeter. With data being so democratized in today’s workplace they feel if data were moved to SaaS, or public cloud - they would have significant exposure.
- Knowing the sensitivity of their data - Many acknowledged not all of their data was equal, but that they had no easy way to determine which data was most critical to their security operations. Their on-premises solutions used classification engines built solely on regular expressions and pattern matching, leading to false positives - requiring manual intervention for classification - and they could not accurately classify down to the file or object level. This is increasingly important in the age of mandatory breach disclosure rules.
- The infrastructure distribution of data - Many large enterprises have data in all three major public cloud providers (AWS, Azure and Google), SaaS (primarily a Microsoft shop), and on-premises. Many have no clear idea as to how much data existed within those environments, and whether or not there were data duplicates within their environment. These insights would unlock the ability to make strategic decisions around their infrastructure, and potentially introduce additional data hygiene to remove certain data, or migrate to cheaper infrastructure for reduced attack surface, and reduce data storage costs.
- The relationship between identity and data - It’s no surprise that humans, groups of humans, and non-human identities (devices) require access to business data. Many security leaders are concerned about data access. This was perhaps one of the most impactful learnings for myself. I had only really thought about zero trust in the context of secure access, endpoint security, and the identity provider space. Zero trust is just as applicable to data at rest, but it is never discussed. Is it time for “Zero Trust Data Access” (ZTDA)?.
- Privacy Data Incident Response - The ability to detect data anomalies (users randomly accessing PII data), maintain PII compliance, and minimize the impact of a data incident were top of mind for many - and were clear challenges. The need to align breach response to relevant regulations is a must, but the ability to easily determine what PII data was impacted as part of a data incident is the holy grail. Think about the Change Healthcare incident. Not knowing what PII data was part of the ransomware attack prevented the company from notifying the customers whose PII data was impacted in a timely manner. This was an eye opening revelation for all security leaders - forcing them to find a data security partner to assist them in this scenario.
Think through these five challenges. If you’re a security leader, do you have a solution that can address each? If so, you’re ahead of the curve. If not, it’s not too late to start looking. We at Cyera would be happy to help. Worst case, I’m always happy to connect you with my dinner guests as well.
