What can we CISOs and CIOs do to better protect our organizations from security threats?
Assistant Director IT Auditor in Education, 10,001+ employees
Very simple, but needs expertise. Perform a data categorization and assign data ownership. Critical data (PII, HR, Financial, etc) store on very secure system, put these systems behind a separate firewall (enclave) access via two factor and IP restricted and monitoring. VP of IT in Software, 1,001 - 5,000 employees
Perform threat modelling, map against a maturity model such as NIST or BSIMM, identify the gaps and develop a multi-year security improvement program prioritised basing on risk appetite and targeted maturity.Content you might like
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.Director of IT in Healthcare and Biotech, 501 - 1,000 employees
Overall fit of the provider's services is key in any recommendation when selecting one of the big 3 clouds for any organization. Multi-cloud is significantly more difficult than most companies realize, and selecting a ...read moreHead of Cyber Security in Manufacturing, 501 - 1,000 employees
I would say, DPO and Security team both shall be involved and work hand in hand.Most of the time the legals and or DPO don't have the technical acumen to understand when data is floating to third party services.
Lets ...read more
Data security52%
Shared resources/services34%
Compliance11%
Other: please specify.1%
704 PARTICIPANTS
A lot of organizations have DOP. When asked why they deploy it, they say it is to prevent the exfiltration of data. Come to think of it, who would be the people moving the data to where it shouldn't be? The external person got through your firewall, your network intrusion detection and prevention system, the alerting mechanisms, and onto your hosts, the HIDs, the HIPs. You want to tell me they can't get past a signature-based DOP because they've found the crown jewel that's labeled ‘top secret’? Do you think they're going to be stupid enough to try and move it in the same package and the same form that's going to hit the trigger?
If I'm looking at stealing intellectual property, dropping a logic bomb or trying to steal personal health records in a healthcare organization. Well, I've already been granted access, so I'm an authorized user. Because I have been trained on the sensitivity of the data, I pretty likely know the DOP signatures too. So, unless I was being really stupid to steal stuff, I would get caught. DOP for the insider risk only really mitigates a non-malicious actor from handling the data improperly, which is a pretty good thing to do, but it's not enough. And you spend all this money to deploy all the stuff, and it really doesn't manage any of the risk that you want it to. Going back to my execution of malicious code, if I was a malicious insider, and I wanted almost 100% certainty I'd get away with it, what would I do? I'd hire a Crimeware as a Service for a couple hundred bucks, get myself fished, have the data taken out, and have complete plausible deniability that I didn't do a damn thing.
You're not mitigating your risk. You're mitigating a compliance risk, but why deploy it everywhere, then? If you have to do it for compliance purposes, go put it on the nurse's station, in front of the data storers where that healthcare information is. Take it off of 75% of the rest of the company. And stop wasting your time and money. That's the type of review that I would do on a control by control basis, to really see if it's delivering the business outcome.