2014: A Record Year for Breaches and Sensitive Data Loss
Why is data still being stolen despite record financial investment in security solutions? Because we’re missing a critical point – it’s about the data.
Welcome to DG Employee Perspectives!
Like most security companies, Digital Guardian has many employees steeped in security experience – and they have their opinions about what’s happening in our industry! From time-to-time we’ll present them here on our blog as industry news and views as seen by Digital Guardian employees. Without further ado, here's our latest Employee Perspectives post from Terry Seymour.
According to Gartner, the leading security industry research firm, organizations spent over $71B on security solutions globally in 2014 – the most ever spent since Gartner started tracking this data. This begs the question: Why is data still being stolen at unprecedented rates, despite our investments in security?
I’ve been in the security industry for many years and I want to propose that it’s because we can’t “see” the data, nor the threats to it. We do not “understand” the data, and therefore we lack the ability to control and protect it. So why, with all the billions being spent on security technology, aren’t our requirements based upon that? Why aren’t CISO’s demanding security solutions that ultimately protect the data?
The JPMorgan Chase, Target and eBay type breaches are recent examples of the failure to see, understand, and protect their most sensitive and confidential data assets, resulting in millions of dollars in damages, and reputational and confidence losses. For JPMC, this came despite an estimated $250 million spent on digital security annually.
I’d suggest that until we focus on what really matters in security – the DATA – the consequences will be predictably dire. Network security, one-dimensional, infrastructure-heavy, deployment-challenged DLP, back-end analyses offerings, or hot, new endpoint threat detection security approaches alone or in combination, won’t get it done. Understandably, vendors will line up with “the answer” as long as they have a willing, participating audience. But the enterprise needs to demand a solution that addresses the real issue, data protection, not the next blinky box network appliance, particularly when the general consensus in the security community is that the network perimeter dissolved a few years ago.
Put simply, the security landscape has changed and so have the types of threats to sensitive data. Most security and risk professionals operate under an “assumed state of compromise”. They know the bad stuff is already in their environment so they now put a great deal of emphasis on what to do after a data breach has occurred to minimize its impact and avoid it from happening again in the future.
But it doesn’t have to be that way. Real and meaningful data protection can be achieved and here’s what’s needed to do it:
- visibility to where data is at all times;
- an understanding of the intent of the user;
- and real-time correlation to block actions that put data at risk regardless of whether the action is the result of a legitimate user request or a malicious process resulting from an outsider attack.
Steve Katz, widely credited as being the world's first Chief Information Security Officer (CISO) said it well: “Information security is not a technology issue, it's a business issue.” Business users work across this ever-changing landscape, and unless you wish to restrict their activities beyond acceptable pain thresholds, you need capabilities that both protect the data, and provide the flexibility expected by those users to conduct normal business activities.
To be clear, no single technology offers a silver bullet. However, real data protection can dramatically reduce the amount of threat surface you need to defend. If enterprises don’t move in the direction of a security solution that addresses the fundamental requirements of visibility, comprehension, control and protection of their critical data assets, the data breach trend of 2014 will dwarf that which we’ll see in 2015 and beyond.
About Terry Seymour
Terry has 30 years experience in the high tech industry, with 12 of those dedicated to digital security. Throughout these roles, Terry has been responsible for solving high value data protection problems for Global 1000 and SMB clients across multiple industries. At Digital Guardian, Terry manages sales of advanced data protection solutions and managed services to secure sensitive data and assure the integrity of business processes.