Continuity™ provides the industry’s ONLY storage & backup security solution, to help you protect your most valuable data.
This article provides highlights from our ‘CISO Point of View: The ever-changing role of data, and the implications for data protection and storage security’. Get the complete guide here (don’t worry, there’s no form!).
We wanted to get the opinions of CISOs on the topic of securing data assets: What contributes to the increase in data’s business value? How is technology adapting to accommodate this change? Which security practices have evolved, and do they match the current business needs? And finally, their top recommendations for other CISOs?
In the process of writing this article, we were fortunate to gather opinions from other CISOs. Here are some of those lessons.
This article is useful for all security professionals who want advice on taking a risk-based approach to data protection and recoverability. To be honest, I believe all CISOs should tackle this topic head-on.
Let me start with the obvious: CISOs are concerned about the rise of ransomware – not only of the proliferation of attacks but also of their sophistication: “The storage and backup environments are now under attack, as the attackers realize that this is the single biggest determining factor to show if the company will pay the ransom,” says George Eapen, Group CIO (and former CISO) at Petrofac,
Given the growing value of data, this raises significant questions about the overall maturity of storage and backup security.
The majority of CISOs feel that too little focus is paid to recoverability – shortsightedness that manifests itself in many forms: “Threat models need to be focused on data and system ‘availability’ risks, and a huge piece of that data protection mandate is in the hands of DR/BCP capabilities,” says Ian Thornton-Trump, CISO at Cyjax.
When it comes to securing data assets, almost all CISOs feel that current IT management practices leave much to be desired: “There’s a need to find the loopholes. No matter how consolidated you think the data has become, hunt – just as you do for threats – for the vulnerable data outside the ring of protection,” says Joel Fulton, former CISO at Symantec and Splunk.
A common recommendation is to revisit the way organizations approach information storage and backup security. Sunil Varkey, CTO at Forescout Technologies, states that “Information protection should sit across the lifecycle of data. Starting with blueprinting and the enterprise’s data landscape and a relevant threat model based on confidentiality, integrity, and availability should be applied to ensure required controls are enforced through its lifecycle.”
NIST SP-800-160 and 800-209 are both great resources. Ashish Thapar, VP Consulting at NTT Security, adds, “Having a solid knowledge of business processes, data flows, and systems is important – before any data protection initiatives are driven.” Thapar advocates a ‘Secure-by-Design and business-centric ‘Enterprise Security Architecture’-based approach for data management, which is no different from managing compute and network elements.
Others also commented on the need to build a high-performing team with effective tooling. For example, Dick Wilkinson, Former CISO at New Mexico Supreme Court, states, “Don’t underestimate the human resources it may require to effectively secure large data sets and the cost associated with data management. Don’t risk underspending on security.”
Everyone agreed that organizations should pay much more attention to ensuring the recoverability of data, as the paradigm shifts to the working assumption that it’s a matter of “when” rather than “if” an attack will succeed. John Meakin, Former CISO at GSK, BP, Standard Chartered, explains: “CISOs cannot control all the platforms, which makes data protection the only solution.” Sunil Varkey adds: “The crown jewels of any kingdom are to protect its data, and it’s not an easy task considering the many environmental changes and motivated adversaries around.”
For more advice from these CISO and others read the full guide.
Get in touch to see how you can detect, prioritize, and fix all security risks in your storage & backup systems.