I think fragmentation of knowledge is a root cause of data breaches.
It’s almost a cliche to say that the security and compliance industry has done a poor job in preventing data breaches of over 245 million personal records in the past 5 years.
It is apparent that government regulation is ineffective in preventing identity theft and major data loss events.
Given: direct data security countermeasures go a long way; data loss prevention and network surveillance work well inside a feedback loop to improve security of systems, increase employee awareness and support management accountability.
However: I believe that even if every business deployed Fidelis XPS Extrusion Prevention system or Verdays Digital Guardian or Websense Data Security suite – we would still have major data loss events.
This is because a major data loss event has three characteristics:
1.Appears as a complete surprise to the organization
2.Has a major impact to the point of maiming or destroying the company
3.Event, after it has appeared, is ‘explained’ by human hindsight.
The root cause of the surprise is, in most cases, a lack of knowledge – not knowing what is the current range of data security threat scenarios in the wild or not even knowing what are the top 10 in your type of business.
The root cause of the lack of knowledge is fragmentation of knowledge.
Every business from SME to Global 2000 deals with security issues and amass their own best practices and knowledge base of how to protect their information. But, the knowledge is fragmented, since business organizations don’t share their loss data, and the dozens or maybe hundreds of vendor web sites that do disclose and categorize attacks don’t provide the business context of a loss event.
Fragmentation leads to waste and duplication, as well as frustrating, expensive and sometimes dangerous experiences for companies facing a data loss event.
So what’s the solution?
With our clients, we see growing evidence that the more organized a company is with their security operation – having a single security organization responsible for digital assets, physical security, permissions management and compliance – the better security they deliver. What’s more, they may be able to reduce value at risk at lower costs due to higher levels of competence, knowledge and economy of scale.
The concept of sharing best practices and aggregating support so that companies of all sizes can access knowledge and support resources is not new, it’s a common theme in industrial safety and Free Open Source worlds – to name two. I imagine that there are a few more examples I am not familiar with.
But what’s in it for security professionals? In addition to the satisfaction and prestige in helping colleagues, how about learning from the biggest and best practioners in the world; having access to resources to improve your own systems and procedures and having the ability to analyze the history of a data loss event from disclosure to analysis to remediation? How about having peers with a common goal of providing the best security for customers?
It’s time for policymakers and large commercial organizations to support organized security knowledge sharing systems, starting with compensation to employees and independent consultants that rewards high-quality, coordinated, customer-centric security across the full continuum of security, not just point technology solutions or professional regulatory services. And it’s time for firms to recognize that sharing some data may be worth the benefits to them and their customers.
That’s my opinion. I’m Danny Lieberman.