I recently attended the ISC2 Security Congress here in Orlando. Normally I really don’t expect much from these type of conferences and this is the first one I have been to hosted by ISC2.
I needed CPEs so I went.
One of the presentations in particular was rather interesting.
It was from a couple of folks at Spirion and they were floating the idea of a new discipline called “Data Protection” which is a combination of data privacy and information security.
Basically the driver for their idea is:
- The multitude of new laws and frameworks that are trying to protect personal data.
- No department (legal, compliance, security) wanting to take responsibility for it. (They called it confusion, I call it not wanting to do it because it’s hard)
- Data breaches caused by vulnerabilities that “fell through the cracks.”
It’s interesting that many older laws and/or frameworks are written to address either security or privacy but not really both.
PCI-DSS is security focused and GDPR is privacy focused.
Security is focused on protecting data, Privacy is focused on what you can do with someone’s data.
The Data Protection disciple? would need to be well versed in both security and privacy now that many of the “breach laws” not only deal with what happens in the event of a breach, they lay out security requirements as well.
As I continued to listen to the presentation, I realized this is an extraordinary opportunity for InfoSec groups who are flailing away and treading water to become company leaders instead of just a nuisance org.
If you are in an environment where no one wants to take this on, do it and become the bridge between these groups (legal, security, IT, OPs, etc.) that ensures that the protection of data does not fall through the cracks.
Make your mandate the discovery of all data assets, just like the discovery of physical assets is step one in knowing what and how you need to protect your systems.
As you discover and classify data, bring these groups together. I bet they didn’t know that sensitive data you just found was there or even what it was being used for. Make a decision as a group and move forward with buy-in from those stakeholders.
Now you are really protecting the company.
The bottom line:
- Fear doesn’t work
- Force may work in the short term, long term it’s not really good for collaboration
- Pleading works at times
- Compliance as a stick works to a point, it usually only gets you the minimum.
There’s a lot more to this idea, but my initial thoughts are this is worth pursuing.
In the end, this is all part marketing campaign for InfoSec, part something that should have been done in the beginning and also a way I think to get out from under the constant downer of being seen as nothing more than a nuisance org.