No Accountability = No Data Security
Accountability is an essential ingredient of any successful business. Whether it’s meeting a sales quota, delivering a report, or staying within budget, every employee has something for which they are held responsible.
Unfortunately, despite the world’s precious information becoming easier to lose, steal or mishandle, personal accountability is often not applied to ensure the safe use of this data. Yes, many companies have acceptable use policies, and governments have passed regulations, but clearly toothless laws and threats of punitive HR action have done virtually nothing to deter insiders – and certainly not cyber attackers – from taking data whenever and however they wish. The fact is, too many companies have paid too little attention to whether their sensitive data is handled properly, let alone defined clear chains of accountability into the business processes where such data is most at risk.
As evidenced by the flattened carcasses of CISO careers run over by failed data loss prevention (DLP) deployments, nowadays it is both fashionable and facile to simply blame technology for the failure of companies to protect their data. But let’s be honest: most DLP vendors have simply followed the money wherever a reactive, obstinate and uninformed market has led them.
The technology that we now derisively call “Data Loss Prevention” was doomed out of the gate, a one-trick pony that ran the wrong way in its first race. It turns out DLP couldn’t be practically deployed to actually stop data leakage, but ironically was exactly what the early market adopters (e.g. banks, insurers, government agencies) asked for in order to get compliance auditors off their backs. They asked for, and received, something that was simple, looked busy and maintained plausible deniability when it inevitably failed. In other words, the IT answer to a politician.
DLP is what happens when supply meets demand at an irrelevant intersection. The major industries that historically drive IT innovation, and who happen to be comprised of organizations most vulnerable to data compromise (e.g. retailers), blindly validated DLP’s inability to actually hold anyone accountable for protecting sensitive data because that wasn’t the point. Seriously, should we really be surprised when Target gets hacked (but we were PCI compliant!) or when Ed Snowden single-handedly de-pants the NSA (we spy on everyone but ourselves!)? Looking back, any outcome other than DLP’s unmitigated failure would have been a miracle.
The red herring of DLP temporarily drowned out the visionaries (both vendors and buyers) who were keen to beat back the data marauders when it wasn’t cool. But, those voices, alas, are now the clearest and most relevant. A new era of big data security is taking form, one whose fundamental premise is to use irrefutable evidence, confirmed by accountable data owners, to deconstruct the gray world of risk into the blacks and whites of productive security.
It won’t be easy, but what choice do we have? The market as a whole must dust itself off, redefine security from past failures and demand that the defenders of information (i.e. everyone that creates, accesses or uses sensitive data) are held – wait for it – accountable for taking back the night.