Data Protection Should be a Never-Ending Journey for Enterprise
The world is awash with data, the volume and veracity of which is growing exponentially. In the last two years alone, 90% of the data in the world was generated. The acceleration of data creation is permeating every aspect of business and society. While data protection has always been a key priority in the online world, the current pandemic situation has made it more important than ever with the increasing cybersecurity threats.
In an exclusive conversation with CXOToday, Nick Savvides, Senior Director of Strategic Business, Forcepoint, explains how Indian enterprises are placed in terms of their ability to protect data and why data protection should be a never-ending journey for businesses.
CXOToday: How, according to you, are enterprises placed in terms of their ability to protect data, especially as security events exploded during the pandemic?
Nick Savvides: Data protection in general is a complex area and is especially challenging in India due to the complex operating environment. There is mix of multinational mature organizations, local service providers with international focus, local service providers with domestic focus, all of which have differing privacy requirements, imposed by the data regulators in their target markets as well as the local frameworks and rules. This leads to a massive gap between organizations where the idea of privacy regulations, and to a certain extent, data protection regulations are alien, while others it is baked into their corporate culture and procedures.
It’s well understood that data breaches can cripple businesses and while it’s true the financial implications tend to be significant—both in terms of revenue loss and potential fines—breaches often cut deeper, especially when they result in loss of critical intellectual property. Furthermore, it’s best to avoid a brand reputation-tarnishing event altogether. Organizations should focus cybersecurity resources more on detecting and preventing potential breaches rather than cleaning up after a breach has already occurred.
Then there’s this new challenge few could have anticipated—a large-scale disruption to the way we do business. The sudden, massive demand for secure remote workforce solutions woke up the organizations to a new reality. And this massive disruption has taken place while organizations are at various stages in their digital transformation efforts. Many organizations have accelerated their digital transformation plans in response.
Another problem facing some organizations is that in the rush to send people home, these security focused tools have tried to be repurposed for productivity monitoring. It is highly advised that these streams of work remain separate as there significant operational and privacy concerns at play, with ultimately compromises being made on both the data protection and the productivity side.
Some organizations are therefore in a strong place introducing new technology, rolling out DLP (data loss prevention) and CASB (cloud access security broker) programs, and others are in a different place entirely. We have also noticed a broader adoption of workforce monitoring, user activity monitoring (UAM) and user behavioral analytics (UBA) tools.
It is paramount than Indian organizations consider the overall trends to improve data privacy, both from a regulatory perspective and from a corporate perspective. For this to be successful, and for Indian organizations to be ready for the next evolution in privacy, cultural acceptance of privacy must be a priority. Privacy and data protection have to be a concern of everyone in the organization and the executive and senior leadership must lead by example. If your people don’t accept the new concept of privacy, it’s no good. If people can’t get over the fact that data on the screen might not be yours, to do with as you wish, and that it can only be used for the purposes you collected it for, then we are going to struggle with wholesale implementation of data protection policies.
CXOToday: Will there be a common standard in data protection and recovery that will link global organizations or will it continue to remain in silos creating a complex environment for organizations to adapt to?
Nick Savvides: There are very few industries or sectors that have universally accepted policies, and privacy and data protection are no different, so the silos are not going to go away. It is likely though that there will be much harmonization, so that there will be common themes, very similar rules at the center of all regulations and policies, but with differences as the edges.
One of the big catalysts of this has been GDPR, the first serious extra-territorial regulation that means no matter where work if you use European data, you need to adhere to these regulations. This has prompted a wide range of similar but different regulations and policies in a number of countries throughout the world. While this is happening at the conceptual level, unfortunately, even within some countries, regulations differ widely between constituent states.
As such this will continue to be a significant and complex area to navigate, and we are already seeing not just the rise of the tools to protect data and and privacy but also manage the concepts. Expect to hear about PrivacyOps a lot more in the future.
While complexity won’t necessarily reduce significantly, what is certain is that digital transformation is a non-reversible wave, and data protection is an integral part of the move to digital and the cloud. Organizations are so interconnected with employees, supply chains, partners and customers all moving seamlessly in and out of a company’s perimeter, that they must act in this space or they will be left behind.
CXOToday: What does data protection mean for a country of India’s size where personal and organizational data privacy are equally challenging?
Nick Savvides: Unlike other countries across APAC, India is still coming up with its own privacy laws. From a regulatory point of view, the trend in digitization is actually pushing the regulators to get the privacy bill for India out. We had originally expected it in the government’s Monsoon session but has been pushed to Winter – so really it’s going to be a while before we get a chance to look at it.
One of the big drivers for speed here is the sheer amount of digital data now out there, and because of COVID we also have a large quantity of personal and health information online, which has to be looked at seriously by policy makers.
What has been the biggest challenge for enterprises is that there is a sense of insecurity. Everything is now out of business leaders’ physical boundaries. There was a sense before that if information resided physically in an office or network it was safe, and now that’s not the case, people are feeling insecure. Speaking to privacy officers, the question they are being asked by the board is, now people are outside the office, are the privacy requirements taken care of in the same way as they were when they were IN the office? And the answer is, there is no simple answer.
The best you can do is to ensure your security programs are well implemented, as there is a focus on universal endpoint data protection that is data protection at the points it is being created, used and stored. Systematic protection is required. Data at home means a whole new definition of privacy: and this is not about implementing a technology solution, but a personnel challenge. Companies have to ask themselves, are their people educated enough on how to deal with data at home?
CXOToday: What does the future hold for enterprise data protection and what should the CIO/CISO keep in mind?
Nick Savvides: When we talk about data privacy, digitization and digital transformation, it’s almost like we’ve seen five years if development and technology implementation within six months! And with that, we have seen a rise in digital risk. The risks are really focused on the privacy and security of data. We are going to see CIOs and CISOs spending more time with the board discussing and managing digital risk.
In anticipation of regulation and treating these new digital risks, there are a few things that organizations can do to better navigate these challenges. Firstly, recognize that digital privacy, data-protection and cyber-security are distinct but related things. You can’t think of privacy as solely a technology problem, or data protection as a cyber-security issue. They are all big enough problems that they must be tackled by their own programs of work.
On the technology side, adopt and use privacy protecting tools but ensure they fit into your broader cyber security goals. On the policy side, develop and understand procedures that are robust but flexible enough to adapt to changing regulation. Contrary to popular belief, cybersecurity technology can in fact be a business innovation enabler.
In my own conversations with boards and CISOs, I talk about three technologies like DLP, CASB and UAM/UBA, which can really support what the board needs in terms of risk reduction. Part of the challenge is uncovering the risks: what you don’t know you can’t measure, and what you can’t measure you can’t improve. Once you understand what data you have, what’s being moved in and out of the cloud, and how your users are interacting with your data, you can then create a technology stack which can monitor and manage risk more effectively.
