This document discusses how to strengthen corporate culture for cybersecurity by shifting to a data-centric paradigm. It recommends focusing on protecting data rather than just the IT infrastructure. This includes defining crucial data, using encryption and data masking, and monitoring data movement with DLP solutions. It also suggests achieving culture change by getting users involved, making training engaging like a video game, learning from data breaches, and creating a framework focused on data security. The goal is to involve all employees to better understand vulnerabilities and strengthen security.
What are the key considerations when looking at incident response and cloud computing? This presentation takes a look at the key areas that people should consider when developing their IR plans
Clearswift | Leading Provider of Advanced Content Threat ProtectionCIO Look Magazine
Dr. Guy Bunker, CTO of Clearswift discusses the company’s technology portfolio & why it is trusted by some of the most sensitive intelligence agencies.
This Blue Paper was prepared as a result of a roundtable discussion organised by the Takshashila Institution on 4 September 2017, based on the Discussion Document, Beyond Consent: A New Paradigm for Data Protection.
The discussion document brings forth a rights-based model (Rights Model) to help secure the interests of a data subject sharing his data with data controllers. This Rights Model assures to every individual, an inalienable right over his personal data. Any data collector that wishes to access a data subject's personal data must ensure that they do so in a manner that does not violate this inherent data right.
The Blue Paper highlights the recommendations of the all participants at the roundtable discussion, which was chaired by Rahul Matthan.
What are the key considerations when looking at incident response and cloud computing? This presentation takes a look at the key areas that people should consider when developing their IR plans
Clearswift | Leading Provider of Advanced Content Threat ProtectionCIO Look Magazine
Dr. Guy Bunker, CTO of Clearswift discusses the company’s technology portfolio & why it is trusted by some of the most sensitive intelligence agencies.
This Blue Paper was prepared as a result of a roundtable discussion organised by the Takshashila Institution on 4 September 2017, based on the Discussion Document, Beyond Consent: A New Paradigm for Data Protection.
The discussion document brings forth a rights-based model (Rights Model) to help secure the interests of a data subject sharing his data with data controllers. This Rights Model assures to every individual, an inalienable right over his personal data. Any data collector that wishes to access a data subject's personal data must ensure that they do so in a manner that does not violate this inherent data right.
The Blue Paper highlights the recommendations of the all participants at the roundtable discussion, which was chaired by Rahul Matthan.
Is your infrastructure holding you back?Gabe Akisanmi
This ebook will help you connect the dots between
today’s biggest business opportunities and the specific
technology required to seize them. You’ll get the facts
you need to identify where current components may
be falling short—and how the right investments in infrastructure
can lead to better business outcomes while
strengthening your role as a strategic consultant within
your organization.
When you’re planning to move to the cloud and manage a hybrid environment, security is a top concern. But cloud is not necessarily less secure than a traditional environment. In fact, it may be possible to deliver even greater security in a hybrid cloud environment because it offers new and advanced opportunities.
In this eBook, you’ll discover how hackers are using traditional tactics in new ways to attack the cloud. You’ll also find out how the cloud can help you increase security with innovative approaches designed to detect threats long before they threaten your enterprise.
How to write your company's it security policy it-toolkitsIT-Toolkits.org
If my consultancy conversations usually start with “so, you think your business is secure?”, they invariably end with a response of “so, what can we do about it then?”. This is where I really confuse them by not immediately talking about solutions and software, but instead about best practices, education and policy.
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Booz Allen Hamilton
This study provides insight into information assurance and mission assurance challenges posed by public cloud computing environments (CCE), and how accounting for those risks through acquisition security measures affect public CCE options.
Dr. H. Raghav Rao, AT&T Distinguished Chair in Infrastructure, Assurance and Security at the University of Texas, discusses how opportunity leads employees to unauthorized attempts on information systems applications in a financial institution.
Protect sensitive data and ensuring that only authorized users, using known devices, can see data in the clear. We’re happy to let the traditional security experts work on their perimeters, knowing that when they fail, our customers’ data remains secure. And, in contrast with products designed for big enterprises, we’ve created a solution that can be installed, configured, and afforded by small businesses without IT staff.
Haystax Technology, Inc. provides next-generation intelligence and analytics solutions that deliver up to the minute situational awareness and actionable intelligence for the public and commercial sectors. Haystax uses a combination of software and human analysis to turn large, disparate and unstructured data volumes into comprehensive and actionable information. In essence, these technologies allow users to find “the needle in the haystack” quickly and reliably.
Next generation analytics and cybersecurity solutions that takes a holistic approach to enabling, protecting, managing and supporting mission critical enterprise systems.
ISSA DLP Presentation - Oxford Consulting Groupaengelbert
For many organizations, there is an unsettling reality that they do not have the adequate visibility over critical data assets within their environment. This is one of many factors that are driving companies to consider Data Loss Prevention (DLP) technologies. In this session, we’ll remove the typical fear, uncertainty and doubt spin surrounding this technology and focus on a holistic solution that leverages this technology to enable your business.
Presentation delivered by Bryan Ware, CTO at Haystax Technology at The Research Board Symposium on Information Risk Management in NYC. This presentation provides an overview of the importance of this approach. Contact the author for a more detailed explanation of the approach.
Is your infrastructure holding you back?Gabe Akisanmi
This ebook will help you connect the dots between
today’s biggest business opportunities and the specific
technology required to seize them. You’ll get the facts
you need to identify where current components may
be falling short—and how the right investments in infrastructure
can lead to better business outcomes while
strengthening your role as a strategic consultant within
your organization.
When you’re planning to move to the cloud and manage a hybrid environment, security is a top concern. But cloud is not necessarily less secure than a traditional environment. In fact, it may be possible to deliver even greater security in a hybrid cloud environment because it offers new and advanced opportunities.
In this eBook, you’ll discover how hackers are using traditional tactics in new ways to attack the cloud. You’ll also find out how the cloud can help you increase security with innovative approaches designed to detect threats long before they threaten your enterprise.
How to write your company's it security policy it-toolkitsIT-Toolkits.org
If my consultancy conversations usually start with “so, you think your business is secure?”, they invariably end with a response of “so, what can we do about it then?”. This is where I really confuse them by not immediately talking about solutions and software, but instead about best practices, education and policy.
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Booz Allen Hamilton
This study provides insight into information assurance and mission assurance challenges posed by public cloud computing environments (CCE), and how accounting for those risks through acquisition security measures affect public CCE options.
Dr. H. Raghav Rao, AT&T Distinguished Chair in Infrastructure, Assurance and Security at the University of Texas, discusses how opportunity leads employees to unauthorized attempts on information systems applications in a financial institution.
Protect sensitive data and ensuring that only authorized users, using known devices, can see data in the clear. We’re happy to let the traditional security experts work on their perimeters, knowing that when they fail, our customers’ data remains secure. And, in contrast with products designed for big enterprises, we’ve created a solution that can be installed, configured, and afforded by small businesses without IT staff.
Haystax Technology, Inc. provides next-generation intelligence and analytics solutions that deliver up to the minute situational awareness and actionable intelligence for the public and commercial sectors. Haystax uses a combination of software and human analysis to turn large, disparate and unstructured data volumes into comprehensive and actionable information. In essence, these technologies allow users to find “the needle in the haystack” quickly and reliably.
Next generation analytics and cybersecurity solutions that takes a holistic approach to enabling, protecting, managing and supporting mission critical enterprise systems.
ISSA DLP Presentation - Oxford Consulting Groupaengelbert
For many organizations, there is an unsettling reality that they do not have the adequate visibility over critical data assets within their environment. This is one of many factors that are driving companies to consider Data Loss Prevention (DLP) technologies. In this session, we’ll remove the typical fear, uncertainty and doubt spin surrounding this technology and focus on a holistic solution that leverages this technology to enable your business.
Presentation delivered by Bryan Ware, CTO at Haystax Technology at The Research Board Symposium on Information Risk Management in NYC. This presentation provides an overview of the importance of this approach. Contact the author for a more detailed explanation of the approach.
Replies Required for below Posting 1 user security awarene.docxsodhi3
Replies Required for below :
Posting 1 : user security awareness is the most important element of an organization as we know a single email can result in a multi-million dollar loss through a breach in very short time. that is the primary reason many large organizations have a specific division who deal with the security whose prime task is it identify and prevent security breaches and most interestingly companies like Facebook have one million dollar price reward for ethically breaching their security which helps them identify more ways and prevent them before they occur. speaking of which user security deals with various levels of users as mentioned below.
1. New employees
2. Company executives
3. Traveling Employees
4. IT Employees
5. For all employees
Security awareness should be covered focusing the four above mentioned categories using real-world examples like classroom training, and circulating latest updates in security patches and also articles or suggestions as well as visual examples about security awareness. Training employees by pasting most important security preventions every employee must consider in order to prevent security breach and pasting lastest updates about security measurements in common areas across office space and conduct brainstorm sessions with individual senior staff members to understand their needs and how to apply security awareness across teams.
and second thing is to secure customers who are the core revenue generating people to an organization and its organization's duty to secure customers. The customer is the benefit of any organization. At the present time, where online security turns into an essential, the association must view client's profitable data that movements between the server and the site. By building security culture, the association can spur clients, contractual workers, representatives. A fulfilled client dependably functions as a mouth exposure and will fill in as an advantage of the organization. The association can guarantee their clients that the amount they think about their web assurance. The association ought to likewise distribute a note of wellbeing safety measure on the site for clients while collaborating with the web world.
Posting 2:
Security is a key human thought that has ended up being harder to portray and approve in the Information Age. In rough social requests, security was compelled to ensuring the prosperity of the get-together's people and guaranteeing physical resources. As society has grown more mind-boggling, the centrality of sharing and securing the fundamental resource of data has extended. Before the extension of present-day trades, data security was confined to controlling physical access to oral or created correspondences. The essentials of data security drove social requests to make innovative techniques for guaranteeing their data.
Changes in security systems can be direct. Society needs to execute any new security innovation as a get-together, whic ...
To implement data-centric security, while simultaneously empowering your business to compete and win in today’s nano-second world, you need to understand your data flows and your business needs from your data. Begin by answering some important questions:
•
What does your organization need from your data in order to extract the maximum business value and gain a competitive advantage?
•
What opportunities might be leveraged by improving the security posture of the data?
•
What risks exist based upon your current security posture? What would the impact of a data breach be on the organization? Be specific!
•
Have you clearly defined which data (both structured and unstructured) residing across your extended enterprise is most important to your business? Where is it?
•
What people, processes and technology are currently employed to protect your business sensitive information?
•
Who in your organization requires access to data and for what specific purposes?
•
What time constraints exist upon the organization that might affect the technical infrastructure?
•
What must you do to comply with the myriad government and industry regulations relevant to your business?
Finally, ask yourself what a successful data-centric protection program should look like in your organization. What’s most appropriate for your organization?
The answers to these and other related questions would provide you with a clearer picture of your enterprise’s “data attack surface,” which in turn will provide you with a well-documented risk profile. By answering these questions and thinking holistically about where your data is, how it’s being used and by whom, you’ll be well positioned to design and implement a robust, business-enabling data-centric protection plan that is tailored to the unique requirements of your organization.
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
Cybersecurity risk assessments help organizations identify, manage and mitigate all forms of cyber risk. It is a critical component of any comprehensive data protection strategy.
We are a new generation IT Software Company, helping our customers to optimize their IT investments, while preparing them for the best-in-class operating model, for delivering that “competitive edge” in their marketplace.
7 Practices To Safeguard Your Business From Security Breaches!Caroline Johnson
Cybercriminals are out to get your business, and they're doing it in a big way. It's no secret that though cybercriminals often target large businesses, smaller organizations are also attractive to them. The logic is simple: small businesses usually follow a standard "not much to steal" mindset using fewer controls and easy-to-breach data protection strategies.
Here are the seven best practices every small business should implement immediately to protect their organization from cyberattacks and keep their data safe from thieves and hackers. To know about it visit: https://bit.ly/3G96FDr
How to protect your company’s computer systems against penetration and attack; the dangers of security lapses in corporate computer
systems and Internet architecture, and specific methodologies for evaluating your company’s security, detecting intrusions and responding effectively.
Symantec Data Loss Prevention- From Adoption to MaturitySymantec
It's bad enough if hackers break into your network. It's even worse if they make off with your confidential data. Read how we use Symantec Data Loss Prevention to keep our most valuable digital assets out of hackers' hands.
BBA 3551, Information Systems Management 1 Course Lea.docxaryan532920
BBA 3551, Information Systems Management 1
Course Learning Outcomes for Unit VIII
Upon completion of this unit, students should be able to:
3. Examine the importance of mobile systems and securing information and knowledge.
Reading Assignment
Chapter 12:
Information Security Management
Unit Lesson
In the last unit, we discussed outsourcing, the functions and organization of the IS department, and user
rights and responsibilities. In this final unit, we will focus on security threats to information systems.
PRIDE and System Security
PRIDE processes privacy settings on the server and returns a code that indicates which of the four privacy
levels defined for PRIDE govern a particular individual with a particular report/data requestor. By processing
settings on the server, those settings are not exposed to the Internet. The return code is, however, and the
operational system should probably use https for both the code and to return the report. This was not done in
the prototype, though.
The relationship between patients and PRIDE participants is N:M. One patient has potentially many
organizations, and an organization has potentially many patients. What this means is that a patient has a
relationship, potentially, to many participants of a given type: many doctors, many health clubs, many
insurance companies, and even many employers. In addition, a patient has a relationship to, potentially, many
types of participants.
Given the N:M relationships, a natural place to put privacy settings is in the intersection table. That table
serves, intuitively, as an opacity filter between a given patient and a given doctor (or other
person/organization).
The tension in the dialog between Maggie and Ajit at the beginning of Chapter 12 regarding what terminology
to use with Dr. Flores is intended to set up a discussion from both perspectives. It is a common problem for
techies when talking with business professionals: How much technical language should I use? It is important
to use enough to demonstrate competency, but not so much as to drown the businessperson in terminology.
Using the Ethics Guide: Securing Privacy
In this chapter, we discuss three categories of criteria for evaluating business actions and employee
behaviors:
legal
ethical (categorical imperative or utilitarianism)
good business practice
UNIT VIII STUDY GUIDE
Information Security Management
BBA 3551, Information Systems Management 2
We can clearly see the differences in these criteria with regard to data security. A doctor’s office that does not
create systems to comply with HIPAA is violating the law. An e-commerce business that collects customer
data and sells it to spammers is behaving unethically (by either ethical perspective). An e-commerce business
that is lackadaisical about securing its customers data is engaging in poor business practices.
Even still, business professionals today need t ...
Data Privacy, Data Security, and Data Protection are three terms that are commonly renowned these days, as the entire internet is based on data and to make sure that nobody uses it negatively awareness of these three terms is crucial. In this blog, we will understand more about security and its importance in data privacy.
How to Secure Data Privacy in 2024.pptxV2Infotech1
Data Privacy, Data Security, and Data Protection are three terms that are commonly renowned these days, as the entire internet is based on data and to make sure that nobody uses it negatively awareness of these three terms is crucial. In this blog, we will understand more about security and its importance in data privacy.
How to Build a Culture of Cyber Security for Your BusinessNXT IT Solutions
The online existence of any business and its cybersecurity have become crucial considerations for success during the pandemic situation. Almost all big companies around the globe agreed to switch to the option of working remotely and many are extending to follow a remote-working or a hybrid approach even now.
How Enterprises Can Strengthen Their Threat Detection and Response.pdfEnterprise Insider
Big data is becoming more significant for detection and response as it plays an increasingly essential role in business intelligence. Today’s increasing need for data-driven business intelligence necessitates a new evolution of threat detection and response capabilities.
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
Companies are under increasing risks of breaches, theft of intellectual property and erosion of customer trust. CIOs and CISOs need to be able to explain to executive management what's being done to shore up their company's security strategy and defenses.
Similar to Cultivate a stronger corporate culture to enhance cybersecurity (20)
Primer on cybersecurity for boards of directorsDavid X Martin
From Hughes, Hubbard & Reed partner and former SEC commissioner Roel C. Campos, and longtime risk manager and cybXsecure managing partner David X Martin, “A Practical Primer for Boards of Directors in the Age of Uber, Equifax et al
Cyber risk management and the benefits of quantificationDavid X Martin
Cyber security is an unknown, unknown risk which is difficult to quantify. Focus on the impact of the cyber security events, not how they happen. Use disruption models to quantify operational disruptions. Convert as many unknown risks into known risks, so they can be quantified. And for those truly unknowable risks, focus on what needs to be done to ensure survivability.
For Corporate Boards, a Cyber Security Top 10David X Martin
Corporate boards of directors have a fiduciary duty to understand and oversee cyber security. For most effective oversight, boards should approach cyber security from a good management-practices perspective rather than a technical perspective.
Explore our most comprehensive guide on lookback analysis at SafePaaS, covering access governance and how it can transform modern ERP audits. Browse now!
The world of search engine optimization (SEO) is buzzing with discussions after Google confirmed that around 2,500 leaked internal documents related to its Search feature are indeed authentic. The revelation has sparked significant concerns within the SEO community. The leaked documents were initially reported by SEO experts Rand Fishkin and Mike King, igniting widespread analysis and discourse. For More Info:- https://news.arihantwebtech.com/search-disrupted-googles-leaked-documents-rock-the-seo-world/
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxmy Pandit
Explore the world of the Taurus zodiac sign. Learn about their stability, determination, and appreciation for beauty. Discover how Taureans' grounded nature and hardworking mindset define their unique personality.
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...BBPMedia1
Marvin neemt je in deze presentatie mee in de voordelen van non-endemic advertising op retail media netwerken. Hij brengt ook de uitdagingen in beeld die de markt op dit moment heeft op het gebied van retail media voor niet-leveranciers.
Retail media wordt gezien als het nieuwe advertising-medium en ook mediabureaus richten massaal retail media-afdelingen op. Merken die niet in de betreffende winkel liggen staan ook nog niet in de rij om op de retail media netwerken te adverteren. Marvin belicht de uitdagingen die er zijn om echt aansluiting te vinden op die markt van non-endemic advertising.
Remote sensing and monitoring are changing the mining industry for the better. These are providing innovative solutions to long-standing challenges. Those related to exploration, extraction, and overall environmental management by mining technology companies Odisha. These technologies make use of satellite imaging, aerial photography and sensors to collect data that might be inaccessible or from hazardous locations. With the use of this technology, mining operations are becoming increasingly efficient. Let us gain more insight into the key aspects associated with remote sensing and monitoring when it comes to mining.
What is the TDS Return Filing Due Date for FY 2024-25.pdfseoforlegalpillers
It is crucial for the taxpayers to understand about the TDS Return Filing Due Date, so that they can fulfill your TDS obligations efficiently. Taxpayers can avoid penalties by sticking to the deadlines and by accurate filing of TDS. Timely filing of TDS will make sure about the availability of tax credits. You can also seek the professional guidance of experts like Legal Pillers for timely filing of the TDS Return.
"𝑩𝑬𝑮𝑼𝑵 𝑾𝑰𝑻𝑯 𝑻𝑱 𝑰𝑺 𝑯𝑨𝑳𝑭 𝑫𝑶𝑵𝑬"
𝐓𝐉 𝐂𝐨𝐦𝐬 (𝐓𝐉 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬) is a professional event agency that includes experts in the event-organizing market in Vietnam, Korea, and ASEAN countries. We provide unlimited types of events from Music concerts, Fan meetings, and Culture festivals to Corporate events, Internal company events, Golf tournaments, MICE events, and Exhibitions.
𝐓𝐉 𝐂𝐨𝐦𝐬 provides unlimited package services including such as Event organizing, Event planning, Event production, Manpower, PR marketing, Design 2D/3D, VIP protocols, Interpreter agency, etc.
Sports events - Golf competitions/billiards competitions/company sports events: dynamic and challenging
⭐ 𝐅𝐞𝐚𝐭𝐮𝐫𝐞𝐝 𝐩𝐫𝐨𝐣𝐞𝐜𝐭𝐬:
➢ 2024 BAEKHYUN [Lonsdaleite] IN HO CHI MINH
➢ SUPER JUNIOR-L.S.S. THE SHOW : Th3ee Guys in HO CHI MINH
➢FreenBecky 1st Fan Meeting in Vietnam
➢CHILDREN ART EXHIBITION 2024: BEYOND BARRIERS
➢ WOW K-Music Festival 2023
➢ Winner [CROSS] Tour in HCM
➢ Super Show 9 in HCM with Super Junior
➢ HCMC - Gyeongsangbuk-do Culture and Tourism Festival
➢ Korean Vietnam Partnership - Fair with LG
➢ Korean President visits Samsung Electronics R&D Center
➢ Vietnam Food Expo with Lotte Wellfood
"𝐄𝐯𝐞𝐫𝐲 𝐞𝐯𝐞𝐧𝐭 𝐢𝐬 𝐚 𝐬𝐭𝐨𝐫𝐲, 𝐚 𝐬𝐩𝐞𝐜𝐢𝐚𝐥 𝐣𝐨𝐮𝐫𝐧𝐞𝐲. 𝐖𝐞 𝐚𝐥𝐰𝐚𝐲𝐬 𝐛𝐞𝐥𝐢𝐞𝐯𝐞 𝐭𝐡𝐚𝐭 𝐬𝐡𝐨𝐫𝐭𝐥𝐲 𝐲𝐨𝐮 𝐰𝐢𝐥𝐥 𝐛𝐞 𝐚 𝐩𝐚𝐫𝐭 𝐨𝐟 𝐨𝐮𝐫 𝐬𝐭𝐨𝐫𝐢𝐞𝐬."
Falcon stands out as a top-tier P2P Invoice Discounting platform in India, bridging esteemed blue-chip companies and eager investors. Our goal is to transform the investment landscape in India by establishing a comprehensive destination for borrowers and investors with diverse profiles and needs, all while minimizing risk. What sets Falcon apart is the elimination of intermediaries such as commercial banks and depository institutions, allowing investors to enjoy higher yields.
Unveiling the Secrets How Does Generative AI Work.pdfSam H
At its core, generative artificial intelligence relies on the concept of generative models, which serve as engines that churn out entirely new data resembling their training data. It is like a sculptor who has studied so many forms found in nature and then uses this knowledge to create sculptures from his imagination that have never been seen before anywhere else. If taken to cyberspace, gans work almost the same way.
Improving profitability for small businessBen Wann
In this comprehensive presentation, we will explore strategies and practical tips for enhancing profitability in small businesses. Tailored to meet the unique challenges faced by small enterprises, this session covers various aspects that directly impact the bottom line. Attendees will learn how to optimize operational efficiency, manage expenses, and increase revenue through innovative marketing and customer engagement techniques.
Putting the SPARK into Virtual Training.pptxCynthia Clay
This 60-minute webinar, sponsored by Adobe, was delivered for the Training Mag Network. It explored the five elements of SPARK: Storytelling, Purpose, Action, Relationships, and Kudos. Knowing how to tell a well-structured story is key to building long-term memory. Stating a clear purpose that doesn't take away from the discovery learning process is critical. Ensuring that people move from theory to practical application is imperative. Creating strong social learning is the key to commitment and engagement. Validating and affirming participants' comments is the way to create a positive learning environment.
Cultivate a stronger corporate culture to enhance cybersecurity
1. Cultivate a Stronger
Corporate Culture
to Enhance
Cybersecurity
The fast-changing threat landscape requires a data-centric paradigm shift
FridFriday, September 14, 2018
By David X Martin X Martin
2. Corporate cultures do not change quickly – they migrate. Most organizational development
experts offer the same recipe for culture change: (1) pick the right leadership, (2) recognize
and reward the behaviors you want to encourage, (3) communicate clear values, and (4)
provide extensive training.
But this recipe won't work for the ever-evolving, shape-shifting, constantly moving target
that is cybersecurity. Most employees aren't interested in their own digital security, much less
their company's. Therefore, changing a company's culture to strengthen security is especially
difficult – requiring a paradigm shift in order to keep pace with the threat landscape.
Most people think of security as the protection of a company's digital environment – a virtual
hardened shell, protected by security guarding the company's networks, servers, and
applications. The problem with this paradigm is that when you focus on the environment, the
security employed becomes an end in itself and is not directly related to the data it's trying to
protect.
Those who create and handle data are best placed to understand its value, David X Martin
says.
For example, suppose a company is trying to defend against data loss or the unauthorized use
of data. Isn't it far better, from a security perspective, if the data itself is not readily readable
– and can be tracked based on those with authorized access and the business context in which
it is being used?
Further, this approach still works through the multiple defensive layers that a company may
implement as part of a defense in depth strategy.
Data-Centric Security
When we shift our focus from the IT infrastructure to the data that needs to be protected, the
first step is defining “what is the crucial data?” Once that is defined, you can use new, proven
solutions to control how the data is handled and distributed.
Encryption, for example, can help ensure that data is secure whether at rest to in motion. But
it is not fail-safe, because once cyber criminals intrude into a network with stolen, valid user
credentials, encryption becomes useless.
Data masking, which is the process of hiding specific data, is another useful tool. Data
masking can be achieved a number of ways: by obscuring the data dynamically as users
perform requests; duplicating data to eliminate the subset of the data that needs to be hidden;
or just masking the data from users or third parties.
3. Another way to control data is through the use of Data Loss Prevention (DLP) solutions,
which can provide accurate information regarding the movement of sensitive data – and even
block the transfer or delete it when found on unauthorized endpoints. Continuous monitoring
of the data using DLP solutions can help identify breaches in a timely fashion and limit the
damage inflicted.
Achieving Culture Change
The paradigm shift – focusing on the security of the data employing data-centric security –
will change your corporate culture.
Get the users involved. Historically, anything to do with IT security was kept away from
users by IT teams. Little wonder that users show little or no interest in the company's
security.
In reality, users are the front line of data security. They create and handle the data and are
best placed to understand the value of the data. Case in point: Allianz Ireland forced its
users to select a data classification before a document could be shared or an email sent. The
company experienced a rapid culture change within just a few months, resulting in 60%
increase in employee awareness of data security practices and an 89% reduction of breaches.
Engage employees in training applications. Today's cyber risk training focuses on phishing
schemes – not protecting data. Most training programs are not engaging, interesting, or fun.
They try to teach with borderline yes/no questions, and usually 80% of them have “yes” for
an answer. No one fails as long as they answer all the questions. Borrrring!
Now suppose the cybersecurity training is a video game, and you're having fun role-playing a
bad guy who stole valid user credentials and now is trying to steal company data. You
receive points based on how far you succeed in stealing data.
The game is highly engaging, and at the end of the session you obtain a point score that, if
high enough, comes with a reward. Even better, the company now has valid data to determine
employees' cyber awareness – information which could be used to help purchase cyber
insurance.
Make diversity part of the security culture. Self-awareness and consciousness are the first
steps toward changing any undesired behavior or attitude. Employees' decision-making
related to security is influenced by their diversity, their background, openness to discussing
these issues, and attitude about community. But posters, screen savers, and even in-person
group reviews will barely influence your employees' ability to judge threats.
Suppose a data breach occurs, and it is used as a learning experience for everyone. Instead of
just creating a PowerPoint, why not have employees then try to write a phishing email for the
company? This approach takes into account the diversity of your employees and their
varying levels of understanding of the threat.
4. Further, because employees are on the front line and know the company's vulnerabilities, as
well as their own and their coworkers' vulnerabilities, you might learn of additional
vulnerabilities you had no idea existed.
Create a framework that focuses on what is the right thing for security. Looking at
security from the point of view of data, the security framework needs to address these
questions: What are the crown jewels of our digital assets? What people, processes, and
technology are employed to protect them? What would be the impact of a breach of this data
on the organization, and how would we respond?
Strengthening the corporate culture for cybersecurity is not just about developing an
approach that reaches the right people with the right message at the right time. It's about
focusing on the data – and involving all employees at all levels.
David X Martin (dxm@cybxsecure.com) is a former chief risk officer and was founding chair
of the Investment Company Institute's Risk Committee. He is an adjunct professor, author,
expert witness, and co-managing director of cybX. His previous contributions to GARP Risk
Intelligence include For Corporate Boards, a Cyber Security Top 10; and Risk Management
in the Cloud.