The Role of Data Governance in Cybersecurity
Data is a critical enterprise asset that underpins operations, drives decision-making, makes personalised end-to-end service delivery possible, unlocks competitive advantage, and more. Unfortunately, all this data represents a rich prize for cyber criminals looking to steal, hijack, or hold data to ransom. Which is why cybersecurity has become a top strategic priority for today’s organisations, given the exponential rise of ransomware, phishing and other cyber threats.
As a consequence, security teams are doubling down on building the capabilities needed to prepare for and respond to cybersecurity incidents. This is no easy task given how digital networks and data volumes continue to proliferate, while remote working models mean organisations now need to balance productivity and data accessibility with security.
In addition, staying compliant with GDPR, CCPA, PCI DSS and other regulations means that as well as keeping data secure and available, organisations also have a legal responsibility to assure data privacy with regard to how data is collected, shared, and used.
Cybersecurity and data governance: understanding the inter-relationship
At its core, cybersecurity involves protecting the organisation’s infrastructure and data against attack, damage, or unauthorised access. The goal of data governance, meanwhile, is to define what data assets the organisation has, where data lives, who can take actions with it, when, and under what circumstances.
This is why data governance plays such a critical role in the implementation of an organisation’s security strategy. Because unless you know the value of your data, where it is located, and who has access to it, you can’t determine how best to allocate resources to protect it. In other words, once you understand the sensitivity associated with a data set, you can then assign the appropriate information security controls needed to protect it. In this way, effective data governance is a fundamental contributor to an organisation’s wider cybersecurity strategy.
Discovery and classification: the twin pillars of good data governance
Protecting data in accordance with its value or sensitivity is a critical part of data governance. However, the approach taken to data discovery and classification can make or break a data governance initiative that seeks to demonstrate compliance by applying controls and policies consistently accurately. If you don’t know what or where your data assets are, then it will be impossible to efficiently use, manage, or protect them. This task is made considerably more challenging thanks to the growing utilisation of cloud-based ‘as-a-service’ platforms and tools.
Representing the first essential step on the journey to effective governance, the data discovery process requires an end-to-end software solution that is able to connect to any type of data source and can identify data assets – wherever they may reside. This capability is key, otherwise organisations will be exposed to significant risk should an unsecured data asset experience a security or privacy breach.
Similarly, the data classification processes that organisations use to identify individual assets and apply the appropriate level of protection will also be critical. Ideally, organisations should apply intuitive classification types based on well understood rule sets – such as GDPR and CCPA sensitivity or Personal Information (PI) and Personal Identifiable Information (PII).
This can often prove a sticking point for organisations that fail to utilise an appropriate discovery tool that can discern and differentiate between PI data (which doesn’t identify a specific person and isn’t generally responsible for governance violations) and the more sensitive PII data to deliver a truly precise classification. If this facility isn’t available, users will have no choice but to manually process and specifically isolate more sensitive PII data.
Making smarter data protection decisions
Armed with these data governance insights, organisations will be able to make more informed decisions in relation to determining exactly what level of data protection and security controls should be applied to each data set. It can also enable some smarter decision-making when it comes to how security resources are allocated to support data protection goals.
For example, without these insights some organisations will typically resort to a ‘belt and braces’ approach and apply security technologies, such as least privilege management, to every data set they own, regardless of categorisation. While zero trust represents a highly effective route to achieving better security and protection, it can quickly become an expensive option if implemented across the board rather than just being utilised for those data assets identified as high value or high risk.
By contrast, other organisations will apply zero trust in batches based on their perception of which function creates and uses the most sensitive data. Typically this might include finance and HR. However, without having undertaken a rigorous data discovery and classification process, this risks overlooking other important data sources within the wider ecosystem that could result in potentially serious governance blind spots.
Implementing an effective cybersecurity strategy begins with data governance
Good data governance is fast becoming a prerequisite for any business focused on its potential to transform processes, decision making and performance. Without it, the integrity and accuracy of data cannot be guaranteed, and businesses are at greater risk of failing to comply with regulations such as GDPR and CCPA.
Data governance also plays a fundamental role in protecting an organisation’s data. Ensuring that the right people have the right access and that appropriate security controls are in place to protect each system or service, based on the criticality or sensitivity of the data sets these contain. In other words, when it comes to implementing a cybersecurity strategy, data governance delivers the insights that organisations need to identify their high value and high risk data sets and allocate additional or specific resources to protect this data.
Ultimately, data discovery and classification are the two critical ‘must haves’ processes for enabling the good data governance that can contribute to the effective management of cybersecurity risk. Together, effective discovery and classification will deliver the insights and intelligence organisations need to boost compliance and safeguard data.
Michael Queenan
Michael is responsible for the overall strategy, direction and branding at Nephos, identifying future trends and building centres of excellence to deliver on those trends.