As part of the audit process, auditors typically inquire about an organization’s operations by posing a series of targeted questions. When discussing their operations, most organizational leaders say that data is important to their organization and that the security of that data is a top priority. Security leaders agree that regulatory compliance is not an effective security strategy, yet the protection of data in most organizations is strictly limited to regulated data. Overcoming this paradox is necessary to build effective data security programs that both protect data and meet regulations.
Flunking the Softball Questions
Compliant organizations are often breached because, historically, internal and external auditors have largely shied away from asking questions about capabilities that are not explicitly required for compliance. Moreover, when these questions have been asked, auditors have often been too ready to accept non-answers. Responses from organizations such as “We do not know” have long been commonplace. This lack of rigor is part of the reason that so many organizations have employees who are responsible for ensuring regulatory compliance, but far fewer have owners of data security itself.
Lack of rigor is part of the reason that so many organizations have employees that are responsible for ensuring regulatory compliance, but far fewer have owners of data security itself.
This blasé response to data security is unacceptable. If organizations believe that data security is a priority, they need to be able to answer basic questions about the security of that data. While there are dozens of potential topics that auditors could ask about, almost all of them boil down to 9 key questions:
- Where is the data stored?
- What data was accessed?
- How much was accessed?
- Was any of it altered, either unintentionally or purposefully?
- Who has accessed the data?
- When did they do it?
- How did they do it?
- Was the data accessed in an appropriate manner?
- Taken together, what do the answers to these questions mean for the organization’s risk profile?
These questions are not complicated, and the means to answer them are readily available. Capabilities such as data discovery and classification—which are foundational to any data security strategy—can be brought in, whether through automated tools or external consultants. Likewise, there is no justification for lacking a well-defined strategy in the case of a significant data breach or loss. Everyone should know whose phone rings first when a breach has been discovered, and that person should already have access to all the answers and tools to formulate a proper incident response.
The Changing Nature of Auditing
In this context, it has been highly encouraging to see the dynamic between organizations and auditors starting to shift in recent years. Moreover, there is a growing trend of auditors probing into the capabilities of organizations, posing inquiries such as:
- How is access to personally identifiable information (PII) monitored and secured?
- What methods are used to detect unusual or anomalous behavior?
- How can one determine whether a material change has been made to a given dataset?
- What processes are in place to deal with orphan and unused data users?
This maturation of the auditing process is critical, as it not only prompts organizations to improve their data security processes, but can also help to identify gaps in their strategies. Faced with more concrete, tangible questions, organizations are more likely to engage in serious introspection about what investments they are making into data security, and whether it is the most effective use of resources.
Running With the Cyber-Bulls
Data protection and its common intersection with regulatory compliance can quickly become a complex long-term ineffectual project without an informed strategy. As previously noted, security leaders agree that a regulatory-compliant program does not equate to an effective data security program. However, they equally agree that a well-defined and implemented data security program does in fact both protect data and satisfy the requirements of regulation. There are several ways organizations can ensure their data is protected and secure:
- Monitor access to all data, not only regulated or critical data.
- Monitor actions of all users, including applications and APIs, that access data, not just privileged users.
- Monitor all locations where data is stored from legacy systems to modern cloud systems.
- Store data long enough to satisfy regulations, as well as, provide acceptable incident response (usually 1 to 3 years).
- In-house data security expertise is uncommon so get help from service or technology partners.
Cybersecurity is constantly evolving, and data security is no exception. Attackers are always improving and refining their techniques, meaning that organizations must bring in better tools to maintain their security. Think of it as the digital equivalent of running with the bulls in Pamplona. Every year, thousands take to the streets, chased by fighting bulls with razor-sharp horns with the aim merely to get to the finish line before them.
When running with the bulls, you do not have to be the fastest, but you do not want to be the slowest. Your speed last year may not have changed, but if everyone around you is getting a bit faster all the time, you can very quickly find that, instead of being comfortable in the middle of the pack, you are suddenly in last place and very real danger. Auditors are upping their game to ensure that their clients are not falling behind—the onus is now on organizations to recognize and respond quickly.
Terry Ray
Is SVP of Data Security GTM, Field CTO, and an Imperva Fellow for Imperva, a Thales company. As a technology SVP & CTO, he supports all corporate business functions utilizing his more than 2 decades of cybersecurity experience. Previously he served as Imperva’s chief technology officer where he was responsible for developing and articulating the company’s technical vision and strategy, as well as, maintaining a deep knowledge of the Application and Data Security Solution and Threats Landscape. Ray is a frequent speaker for ISACA, FS-ISAC, IIA, ISSA, OWASP, RSA, and other professional security and audit organizations in the Americas and abroad. He also provides expert commentary to the media and has been quoted in Security Week, SC Magazine, Forbes, CBS News, the BBC, and many others.
