We've all seen it in the movies: The chief of security declares that no one could ever steal the “Famous Jewel” because it’s protected by thick glass, an impenetrable system of motion-detecting lasers, and, finally, a weight-sensitive sensor. Cut to the next scene, where a thief, dressed in sleek black, zip-lines from an open skylight, shorts the lasers, scores the glass, and with split-second timing, swaps the jewel for a replica of equal weight.
Many corporate executives still view data protection in a similar way—a move/counter-move scenario in which the good guys futilely keep adding more layers of defense.
But there’s one crucial distinction between protecting physical objects, like jewels, and digital assets. Data is alive; it can be transformed and manipulated. And that plays to the good guys’ strengths. Data needs to be readable to have value. Imagine the reaction of a thief who thought he’d grabbed a jewel but finds it is invisible.
What’s needed is to encrypt and transform the data so that even if it’s acquired, it’s valueless to thieves. “When the bad guys get through your perimeter walls, your last line of defense is to make sure that if they hit a dataset, they get garbage,” according to my colleague, Scott Fleming, Protegrity's prior EVP service and support.
This might be old news if you’re a data-security professional, but, unfortunately, many corporate executives still approach data protection as if they’re fighting jewel thieves. Software engineers, senior business executives, and legal personnel can all profit from data-protection training that emphasizes modern approaches and benefits.
Modern data protection has three financial benefits.
First, it forestalls lawsuits from customers and shareholders, as well as fines from regulators. Second, it means that that your data is now safe to share with third parties, letting you reap the benefits of business alliances. Third, and most important, it allows you to take full advantage of the power of data mining. The information essential to accurate business intelligence remains, but with obfuscation techniques, the risks associated with data breeches recede.
However, because old habits die hard, achieving gold- standard modern data protection requires a significant investment in training.
Nearly forty years ago, Robert Metcalfe, co-inventor of Ethernet, described a powerful effect of networked communications: In general terms, the more nodes you have, the more connections you can have, thus making your network exponentially more valuable. (In technical terms, as explained on Wikipedia: “The value of a telecommunications network is proportional to the square of the number of connected users of the system (n2)”.
Although the power of the network effect might seem obvious now, in its time, that insight was so novel it was dubbed “Metcalfe’s Law.”
We’re experiencing a similar moment with protected data. While to many people the exponential financial effects of safely sharing data are obvious, not everyone fully appreciates its power. Because of this, modern data-protection training should address not only the technical aspects, but the ROI of data protection. In an interview with TechRepublic, Robert Waitman, director of privacy insights and innovation for Cisco, quantified what’s at stake: “On average, for every $100 a company is spending on privacy, they’re getting back $270 of business benefit, which comes in the flavor of better security, shorter sales delays, greater innovation and agility, as well as competitive advantages.”
The network effects of securely sharing protected data, with its tremendous ROI implications, should be a major focus of your data-protection training. Consider including such topics as:
• Winning the confidence of customers and vendors
• Data mining
• Expediting supply chains
• Innovation through data sharing (for example, sharing data among research laboratories leads to biomedical breakthroughs)
In WWI, many pilots could figure out for themselves how to fly the simple aircraft of the day. Now, fighter jets are so complex, pilots require hundreds of hours of instruction and flight time to master their skills.
Similarly, fighting data breeches has become an intense, highly sophisticated specialty. Even well-educated engineers are barely up to the knowledge required to successfully defend against ever-increasing attacks.
An additional layer of complexity comes from governments. Line of business(LOB) professionals must stay up to date about a constantly shifting and expanding regulatory sphere. In the United States, the regulatory environment is particularly challenging because of its federal system. While Europe operates under one GDPR, so far, the U.S. has left privacy and security regulations up to individual states. GDPR times 50 is any legal counsel’s nightmare scenario.
“The complexity of being compliant with regulatory bodies becomes more difficult every day,” warned Fleming. “Job number one is to be aware of compliance and regulations that affect you. You also need to be educated on the multiple layers of defense strategy.
"Finally, especially if using the cloud, you need to be aware of the shared-security model from the cloud providers and what that means. Cloud providers secure the cloud, customers are responsible for securing what’s in the cloud, including their data. Those are the top three things LOB leaders must know as they take more ownership of customers’ privacy.”
It’s also important to remember that many regulations come with inflexible compliance deadlines—missing them by even one day can result in fines or trigger lawsuits.
And it isn’t just the big stuff, such as the state auditor wanting paperwork by the 15th. It’s also the hundreds of inquiries from consumers that, by statute, must also be answered within set deadlines. For example, the California Consumer Privacy Act (CCPA), California’s version of the GDPR, demands consumer requests be responded to within 45 days.
For companies that do business outside of the United States, there are even more issues to consider. For example, Germany has some of the strictest privacy laws in the world, as well as cultural sensitivity over data misuse, making it especially challenging when companies wish to migrate to the cloud.
Add all of this regulatory complexity to the challenges of sophisticated security attacks, and we are far beyond the days when all you had to do was read the manual and take a couple of hours of refresher training.
Additionally—and importantly—new machine learning and data-analytics tools offer novel ways to mine data for business intelligence. Yet millions of dollars in potential new revenue streams are left on the table because data is too insecure to share internally or with external partners. “You should be able to both securely do data analytics and stay compliant with regulations,” said Fleming.
Nevertheless, despite these current demands, many corporations still rely on simplistic video training sessions that give the same data-protection advice everyone’s heard since the ‘90s: don’t click on links, don’t download attachments, don’t answer requests for money, and don’t use foolishly simple passwords, like Password123. Oh, and here’s 600 pages of privacy regulations, make sure to read them.
Such training leaves both rank-and-file employees and senior executives without an understanding of how treacherous attackers really are, and what kind of damage can be done to a company’s reputation and bottom line. Worse, it does not even address how quickly privacy regulations can change and affect data handling. Nor does it offer any idea of the extended value of secure data.
If your data is in your own data center or on a cloud server in another country, you should be secure in the knowledge that only authenticated and authorized internal staff can ever see customer data. The freedom this allows—not only the ability to safely move data across borders, but also to securely enable new global analytics groups—is extremely exciting.
Outdated training leaves IT departments pleading for more resources and for their colleagues to understand that their roles go far beyond merely repelling attacks. Given the proper opportunity, IT can add essential value by automating compliance and providing data secure enough to be shared with aligned businesses.
LOB executives need to appreciate that secure data means data that can be safely used for analytics, thus increasing revenue, saving money, and saving time. For that approach to work, technical, business, and legal staff must be trained together with the understanding that it’s not just data-security training—it’s about protecting the company’s critical assets while also paving the way for business and analytical innovation. The business leaders of tomorrow understand that data security is as important to the legal counsel trying to protect IP as it is to the data-science teams trying to anticipate new trends.
To achieve these goals, data-protection training must go beyond a technical recitation. Modern training should be akin to a graduate seminar conducted by a university’s engineering school in conjunction with its business and legal schools. It must helpLOB executives, as well as software engineers and data scientists, fully understand their roles and responsibilities, and how they can all protect and increase ROI.
Data only has value at the point of consumption, when someone is using that data for a purpose. It’s easy for companies to lose sight of this fact during a data-protection implementation, because securing a company’s sensitive data where it’s stored is serious business, and topics such as analytics can sometimes take a backseat.
That’s why it’s important for any related training to not only contain the technical capabilities, but also real-world examples—to help remind everyone of the “why.” The byproduct of implementing robust data-level protection for something like personally identifiable information (PII) is that the data is not only secured, but also liberated to be used in new and strategic ways.
The best news is that a modern, comprehensive approach to data-protection training can be far more intellectually engaging for participants. It should allow professional growth and independence, as a company’s personnel become able to solve more problems on their own, without being dependent on outside vendors.
“The ideal is to develop a center of excellence within your company, where data scientists, data protection specialists, and LOB executives understand and wield the power of data protection,” noted Fleming. “You want your people to be enabled, to learn to fish for themselves."
Training should have an effect on corporate culture, according to Fleming. “In addition to creating a data-protection ‘tiger team,’ you also need to get all employees to consider data protection as a basic corporate skill. Think of data protection as if it were Excel: Of course, your accounting department is going to work with it at a higher level than your creative services department, but every professional in a corporation should be familiar with the basics of spreadsheets. Similarly, everyone should have data- protection principles in mind as they do their work.”