CISOs Rethink Data Security With Info-Centric Framework

  /     /     /  
Publicated : 23/11/2024   Category : security


CISOs Rethink Data Security With Info-Centric Framework


The Data Security Maturity Model ditches application, network, and device silos when it comes to architecting a data security strategy.



RSA CONFERENCE 2023 – San Francisco –

The coalition behind the
Data Security Maturity Model
has issued a second iteration of the framework, aimed at making it easier for businesses to protect data from leaks.
The coalition, created by Cyberhaven last summer, is led by Sounil Yu, CISO at JupiterOne and includes a range of security leaders from a range of companies, including Boston Scientific, Caterpillar Financial, Fleet, Flexport, Motorola Mobility, Twilio, VillageMD, and others.
During a panel at RSA Conference 2023, entitled
Comprehensive Cyber Capabilities Framework: A Tech Tree for Cybersecurity
, coalition members laid out a vision for the next generation of data security.
The ability to protect any type of data across devices, applications, and cloud assets is essential if organizations are to take advantage of the power of modern collaboration and digital transformation without exposing their data to external threats, insider threats, or simple mistakes by well-intentioned users, the coalition said in a statement.
The DSMM aligns to the NIST Cybersecurity Framework and the Cyber Defense Matrix, and to enable a data-centric view, it defines five key functions:
Identify & Classify:
Find and classify all data covered by the data security program.
Protect:
Minimize the exposure of sensitive data by controlling how it is accessed, used, and retained.
Detect:
Collect and analyze data risk to identify data-related security events or policy violations that were not stopped by the Protect function.
Respond:
Establish immediate, short-term actions to be taken upon detection of a potential incident.
Recover & Improve
: Determine actions needed to not only restore normal operations (as they pertain specifically to data), but also to build back stronger.
In its second iteration released this week, the maturity model refines each of these pillars to take into account more granular context, such as what server infrastructure is being used,
how much is in the cloud,
privacy regulations,
how employees and others use the data
, and how applications, APIs, and non-human endpoints use it, and more — in order to gain a fuller picture of an organizations data footprint.
Richard Rushing, panelist and CISO of Motorola Mobility, tells Dark Reading that a
new framework approach
was needed given that, in the age of digital transformation, getting arms around all of the data being generated at any given point within an organization simply cant be accomplished by looking at protection in a siloed way. The old concept of seeing data in the context of devices, applications, or the network, needed to be traded for a focus on the data itself, wherever it goes within an organization.
If you think about what security is enabling, its the use of data, and ubiquitous access to it, he says. Its necessary to connect to the network to use the data thats in the network to make better decisions for the business or make better decisions for your customers. But data is found in different places, sometimes its at rest, and sometimes its in transit.
He adds that the problem is — quite literally — growing, also necessitating a rethink of protection architecture.
Data is on a logarithmic curve; for every amount of data that I have next year, its probably 2.5 times more than the amount of data I had this year, he says. Were data hoarders, for lack of a better term; no one wants to get rid of peoples information who have signed up to websites and forums and everything else, so we have this enormous data sprawl. That, in turn, leaves behind security blind spots.
Further adding to the challenge is the fact that
some data is of course more sensitive
than other information, and some information doesnt need protecting at all, Rushing points out. And theres dynamism in terms of defining appropriate security levels as data ages.
He uses a product launch to illustrate his point. With a product release, we start off with a situation where no one knows about it, everythings embargoed, and youre protecting this important intellectual property, he explains. And the next thing you know, its released for public consumption. And its suddenly not top secret anymore, in fact, you want the whole world to know about it.
Rushing says that the framework is meant to tame some of this chaos, and that it can be tailored to large enterprises and small-to-midsized businesses alike. It allows organizations to focus in on a number of practice areas, too — including risk-based decision prioritization, collaboration, continuous education, risk management for vendors and third parties, compliance, being transparent, and incident response and how to recover data.
I dont want to say its one size fits all, but its very close to one size fits all, he explains. The controls are going to be different depending on the environments, but the approach is meant to be flexible enough to accommodate that.
He says that the framework is a living architecture that the coalition plans to refine and evolve over time. However, the time to make the switch to thinking about things in a data-centric kind of way should start now.
If you dont start [or] you dont think about this, youre going to get hit in the next 6, 12, 18 months in some way, shape, or form, he warns. Its not like the Internet is becoming a safer neighborhood and data is the new oil thats going to drive business and attackers alike.

Last News

▸ New threat discovered: Mobile phone ownership compromised. ◂
Discovered: 23/12/2024
Category: security

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CISOs Rethink Data Security With Info-Centric Framework