Finding Synergy Between Cybersecurity and Data Management
By Lester Godsey, Chief Information Security Officer, City of Mesa, AZ
Arguably, the two ‘hottest’ trends in business, both cybersecurity and data management is often looked upon as separate strategic efforts within an organization. What many fail to realize is that they are not as disparate as they initially appear and, if your CISO and CDO collaborate, there are strategic synergies to be had. Below are just a few examples:
Data classification is specifically called out in both disciplines. For example, in NIST (National Institute of Standards and Technology) SP 800-53 Rev. 4, data classification is a core tenet. The NIST cybersecurity framework is one of the most popular across all sectors. In DAMA’s (Data Management Association) DMBOK (Data Management Body of Knowledge) Second Edition, data classification is a component of the Data Security knowledge area. Another way of talking about data classification is that both cybersecurity and data management need to be able to apply classification to an organization’s data to know what to do with it, how to treat it and how to protect it. Think of data classification in terms of tags–in an ideal environment, your accounting staff can find what data sets were created by Accounts Payable functions and your security staff can find which data sets are PCI-related and should be treated as confidential.
"In both cybersecurity and data management, one should not presume to know what the needs of the consumer are but reach out to determine them"
Data as an Asset
Both cybersecurity and data management view data as an asset. For example, in the CISSP (Certified Information Systems Security Profession) exam, under the Asset Security section, there is an area dedicated to Data Management. This explains why security controls are applied to HIPAA and PCI-DSS data–because they are considered assets, just like physical devices such as routers and switches. From a data management perspective, data is the common denominator for any organization. Everything around data management is designed in such a way where it is treated as an asset. For example, the knowledge area of Reference and Master Data focuses on managing shared data, through reducing redundancy and standardizing its usage. One way this is accomplished is by implementing processes and systems that inventory organizational data. For those not convinced data is assets ask yourself why some people so highly value data about 11 herbs and spices.
Internet of Things
IoT brings about different perspectives, depending on whether you are of the cybersecurity or data management camp. On one hand, IoT enhances decision-making through its broad reach of data from wireless cameras, sensors and the like. On the other, IoT devices, thanks to their poor security, were the primary source of nodes in the 2016 Dyn DDOS attack and continue to be one of the biggest security challenges in organizations today. The trick that CISOs and CDOs need to learn is IoT and its effective use cannot occur without one another. The role of cybersecurity isn’t to dictate to organizations what they can or cannot do. It’s to communicate organizational risk, provide options and support the enterprise, or in this instance, to ensure that IoT technology is implemented in a secure and effective manner. CDOs need to understand that it doesn’t matter if the use of IoT devices allows the enterprise to forecast traffic congestion if it winds up causing a massive breach of personal information. The concept of risk applies to data management as well as cybersecurity.
Now that we have established some common ground between the two areas, what can organizations do to take advantage of these opportunities?
This is where it all begins. Within each discipline, outreach to the business/customer is required. In both cybersecurity and data management, one should not presume to know what the needs of the consumer are but reach out to determine them. Neither exists in a vacuum, so why not work together to determine the most efficient and effective means for promoting both areas? If your organization has an enterprise PMO hopefully, this coordination is already taking place.
Plan and Execute
Once you’ve collaborated and determined that there are common needs between data management and cybersecurity, the next step is planning. For example, if your organization doesn’t have a data classification policy have both programs work collaboratively on this. Most likely, the data classification needs between your cybersecurity and data management programs will be different but why not tackle this together? There are efficiencies to be gained by doing so, especially if you looking to implement systems such as a Master Data Management solution. Plus, it’s an easier sell to management if a project can meet multiple organizational needs than just one.
Cybersecurity and data management are two areas of business that will only continue to grow in importance and impact. By finding those synergies, you are utilizing resources more effectively and demonstrating you have a more enterprise view of your organization and its needs.