What are some common opportunities for organizations to apply data minimization techniques? Where’s the best place to start?

Risk ManagementData Protection & Encryption
350 viewscircle icon3 Comments
Sort by:
VP of Information Security in Education10 months ago

Hi there,

At a previous job, we had an annual process for inventorying all critical data, and identifying the data owners, business cases of use and who all had been granted access to the data.

My security team would facilitate the completion of this inventory and then review the results.  If there were areas we felt created a lot of risk, we would ask to meet with the data owners and review the inventory with them.  A lot of times they did not remember that they gave the data to other people, or that there were xyz business cases that had long been replaced by new processes.

We used that process as a way to talk about minimizing the exposure, and worked our way through all the departments.

HTH

CISO/CPO & Adjunct Law Professor in Finance (non-banking)10 months ago

One effective approach is to use tools that can identify the age of data, specifically how long it has been since it was last accessed or used. This objective measure can be incredibly valuable. The key is to avoid relying solely on subjective opinions from privacy officers or lawyers. Instead, presenting objective data can help initiate the conversation about data minimization. Simply telling people to delete data is not helpful. Instead, show them the cost implications of storing and backing up data. For instance, you could identify a specific group of data and calculate the cost of maintaining it. Then, ask the relevant business unit if they are willing to pay the associated costs, which could be in the millions. Many people still view hard drives as limitless storage rather than as file cabinets that require more space and money when full. Shifting this perspective is a good starting point.

CISO in Education10 months ago

Ensuring that your governing documentation is well-defined is crucial. This includes clarifying the responsibilities of data owners and driving education on what data should be retained and what should not. Most organizations have records retention schedules and other mechanisms in place, but these are often not effectively communicated or utilized in day-to-day operations. People need to be actively thinking about data retention. For example, when someone creates an email, they should be aware that it might only need to be kept for three months. Similarly, when creating documents that sit in shared drives, there should be a clear understanding of how long they need to be retained. Without this awareness, data tends to be kept indefinitely, which is counterproductive.

Content you might like

Do you think your data security budget will likely increase or decrease within the next year?

Significant increase

Moderate increase29%

Minor increase29%

Neither – budget will likely be the same43%

Minor decrease

Moderate decrease

Significant decrease

Unsure for now

View Results

How are you making sure the security team has visibility into social engineering attempts on helpdesk staff, especially with attacks using voice impersonation or other deepfake techniques?

I'm looking to go for the Certified CISO certification & training as I'm an aspiring CISO. Any recommendations and additional certifications that I should be doing along with that? I already have CISSP. 

Read More Comments

Have you implemented a process for deprovisioning test accounts?

Yes71%

Currently implementing26%

No2%

View Results

What are you working on to improve your threat hunting program (whether near- or long-term)?