05-21-20 - Data as Asset and Liability? Awkward!

Data as Asset and Liability? Awkward!

May 21, 2020

CISO | Security Vendor Relationship Series

This week's episode of Defense in Depth

Data Classification

Data Classification

 On this episode of Defense in Depth:

Co-host Allan Alford and guest Nina Wyatt, CISO, Sunflower Bank, discussed:

  • Usable, user-friendly, viable-in-every-scenario data protection that is invisible, seamless, and always on does not exist, but could exist, and should exist.

  • Classification tools that tout automation, really aren't. There is still a good amount of manual intervention.

  • Another way to solve the data protection issue is to get rid of data. Our data protection problem amplifies as we find ourselves protecting more data. But a lot of data simply doesn't need to be protected. It could be classified for non-protection or just destroyed.

  • Data is mostly unstructured and it needs to be structured to the sense that you know how data is flowing, and that is extremely difficult to do.

  • We spend more time on hardware and networking diagrams but what we should be doing is diagramming data flow.

  • Mandate retention limits on data. People don't like it, but it's going to make you a lot safer. Just mandate the lifespan of data. If it's not needed or accessed in a certain period of time, archive it or possibly kill it.

  • People think holding onto data is costless, but reality is the more you hold onto it becomes very costly from a security perspective.

  • Utility to you vs. utility to the bad guys is relative. For example, a bank statement from five years ago has little utility to you now, but if a bad guy is looking for information, that has the same value as a bank statement from today.

  • The questions you need to be asking: Is your data sensitive, does it have open permissions, how long has it been since the data was accessed?

  • Data with PII is both an asset and a liability.

  • Classifying data also has a major problem with consistency. Often data can be put into multiple categories or classes.

  • Security of data is usually not the factor many consider. We are often thinking about the security around data.

Thanks to this week's sponsor of Defense in Depth, Cmd.

Cmd

provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems.

 

Bobby Ford, CISO, Unilever on following the path to your critical assets

 Upcoming Video Chat 

  

Friday [5-29-20] Hacking Zero Budget Security

Join us for “Hacking Zero Budget Security: An hour of critical thinking about what you can do with an all-star security team and no budget for tools”.

It's happening on Friday, May 29th, 2020 at 10 AM Pacific/1 PM EasternLeading the conversation with me will be Matthew Southworth, CISO, Priceline and Justin Berman, head of security, Dropbox.

Best Moments from "Hacking the Visibility of the Cloud"

Best Moments from "Hacking the Visibility of the Cloud"

Highlights from "Hacking the Visibility of the Cloud" Video Chat. To watch the full video and read the chat go here.

I moderated the discussion with Rishi Tripathi, svp, CISO, NBA and Avi Shua, CEO & co-founder, Orca Security and former chief technologist at Check Point.

Check out the video and post for the winner of best bad idea and some notable quotes from the chatroom.

Thanks to our video chat sponsor, Orca Security.

Mike Johnson on pitching brand new CISOs

SUBSCRIBE TO BOTH PODCASTS

Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.

If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.