Have you ever wondered what data security management is and what it does? Why do you need it in the first place? If you have, you’re in the right place.
This post is about data security management and helping you find the answers to these questions. If you need a firm grasp on the concepts of data security management or maybe you’re wondering about its responsibilities, this post has you covered. I’ll also give you a few tips to start your journey. Let’s start with data security at the most fundamental level.
First Things First, What Is Data Security?
A journey of a thousand miles begins with a single step. Your first step is to understand what data security means. In summary, it’s all about protecting the digital data of the organization. Protecting it from any kind of threat. This sounds simple enough, but in fact, there are four core principles you need to consider in data security. These are confidentiality, integrity, availability, and nonrepudiation. You can refer to the first three principles as the CIA triad of data security. Nonrepudiation is a bonus. Let’s discuss these next:
- Data confidentiality: This is what most people think of when it comes to data security. This means only authorized people should have access to the data, and it’s protected from anyone else.
- Data integrity: The key point here is the authenticity and accuracy of the data. In addition, integrity makes sure data is in the right format and consistent during its life cycle.
- Data availability: This principle makes sure that data is available when required. As we all know data is key for the organization to function properly. This is pretty much like me without my coffee. If there’s no coffee available to me in the morning, I just simply can’t get through the day.
- Nonrepudiation: Basically, nonrepudiation means guaranteeing the ownership of the data. Like when you sign a piece of paper, you guarantee that it came from you.
Think of data security like a musical orchestra. Those four principles are the musical instruments of the orchestra. With this music analogy, you’re ready to move on to data security management.
What Is Data Security Management, and What Does It Do Anyway?
Data security management is the governance and management of data security. Let’s use the music analogy from earlier. Data security management is the conductor of the “data security orchestra.” But what does that mean? Conductors manage the orchestra by managing the musicians. They make sure musicians play with the right instruments, and they set the tempo. As a result, the orchestra plays a harmonious sonata. Data security management is similar to an orchestra. It ensures that people follow the right security processes and use the right tools. And if all goes well, the result is a harmonious “data security sonata.”
What else does data security management do? First of all, it translates business objectives into meaningful data security objectives. Sometimes it defines security processes. And sometimes it’s even involved in the security technology bits. It all depends on the culture and the size of the company as well as the kind of industry it operates in. In summary, data security management makes plans, organizes, and controls data security activities. And it defines data security key performance indicators. These indicators will tell you when things go wrong. And sometimes they do.
… But Wait, There’s Even More!
You need to manage the threats to the organization’s data. After all, those threats could stop the business from achieving its objectives. The kind of threats like bad guys wearing black hoodies or funny Guy Fawkes masks in dark rooms. And of course, Mr. Robot. Jokes aside, there are other kinds of threats. For example, what if your admins accidentally delete important databases on a bad day? How about data thefts, natural disasters, or physical damages? You need to eliminate threats as much as possible by finding the delicate balance among data security, usability, and cost.
But what’s the right balance? For example, you could lock that data up and throw the keys away. This might not cost you a lot, and it’s security at its best, don’t you agree? Of course not. Because no one can access that data anymore, not even the people who need it. You went too far with data security and sacrificed data usability. On the contrary, when you have great security and usability metrics, it could cost a fortune. Good luck finding funding for that project.
To find the right balance, just think of data security as an investment. This is the investment in protecting the data assets of the organization. To do that properly, it’s time to assess the value of that data. How much is it worth to the organization? How about the financial penalties and reputational damages the organization has to pay when things go wrong? Make sure you start asking these questions and having these discussions with the key stakeholders of the business. With their insight, you’ll understand if your data security project is worth investing in.
This Sounds Like Too Much Fuss. Why Do I Need Data Security Management?
By now, I bet your head is spinning and you might be thinking, “This sounds like too much trouble. Why do I need data security management in the first place?” Well, going back to the previous music analogy, does an orchestra need a conductor? Of course it does. One of the most important responsibilities of a conductor is to communicate the intention of the composer to the orchestra. This is exactly what data security management does by translating the business objectives into data security strategies for the organization.
Oh, but wait. We need to talk about the legal and regulatory requirements. Think GDPR, HIPAA, FISMA, and a bunch of others. These mandate data security for various kinds of data. This is a complex topic and not for the fainthearted. Suffice it to say compliance is a must and a lot of work. Do you still need convincing that you need data security management?
How Can I Get Started in Data Security Management?
So far, we covered what data security management is and what it does. We also clarified the all-important “why” question. Are you excited about data security management yet? If you are, I thought I’d help by giving you three key tips you can use. We’ll cover data, risk management, and personnel. Let’s see them in more detail.
Know Your Data
Organizations generate, process, and store all kinds of data at an amazing pace. They use various technologies in the cloud with a click of a button—for example, big data, machine learning, business intelligence tools, and pretty much any other buzzwords you could think of. Watch out and make sure you keep a close eye on these and consider the data security implications. For example, container technologies have changed the technology landscape forever. However, containers bring all kinds of additional security threats and vulnerabilities you need to worry about. This means your security tools and processes need to evolve next to keep up with containers.
Without a doubt, these platforms will make your life more interesting. And that’s OK; we all like the security challenge. This challenge is even more complex considering the legal and regulatory implications you should consider. After all, you need a firm grasp on your organization’s data. Without this, you can’t protect it.
Risk Management to the Rescue
How does risk management come into play here? Just remember the core definition of data security. At this point, surely you know it by heart: to protect data from threats. A good risk management framework discusses both the nature of data and the threats in great detail. Please use a risk management framework; both your staff and auditors will be grateful for it. Why? Because risk management is a well-defined challenge in information security and experts figured it out already. Frameworks give you the broad strokes and structures you need to tame the risk management beast. Please don’t reinvent the wheel. Instead, take a look at some of the industry-recognized risk management frameworks. To name a few, there are the NIST Risk Management Framework, ISO 27005:2018, ISO 31000:2018, and COSO Enterprise Risk Management. Just pick one you’re comfortable with and off you go.
The Almighty Data Security Personnel
Last, but not least, there’s personnel. You need to have the right technical skills and personnel at your disposal. Without them, you can’t be successful in data security. Technical expertise is one of the benefits but not the only one. You need individuals with great communication skills who work well with others. After all, data security is always a team effort.
However, finding and retaining people with the right skill set is a challenge these days. Building a security culture within your organization should be your ultimate goal. You can’t do that without the right personnel so make sure you get it right.
Are You Ready to Start Your Data Security Management Journey?
So, there you have it. Now you understand what data security management is and appreciate all the things it does. Also, you were given a few tips to start or improve your data security management. Next, make a list of actions you need to start your journey. See where you fall short and make a plan to fill those security gaps. Maybe start with a robust data security strategy and adjust it if necessary. Use a risk management framework to understand your risks and threats. Make sure you measure the effectiveness of data security. And most importantly, enjoy the journey.
This post was written by Janos Zold. Janos fell in love with IT while playing the beat ’em up video game Golden Axe as a child. Since then, he’s held various technical roles (engineer, consultant, architect, manager) in Hungary, Ireland and in the UK. He has a passion for information security and cloud (AWS and Azure), and he runs a consultancy that helps financial and telecommunication organizations with information security challenges. He’s an open source (and dog) enthusiast and an OWASP technical contributor who likes researching and sharing knowledge with others.