Driving Security And Innovation Together To Power Today's Data Company
This article originally appeared on Forbes.com as part of Delphix CTO Eric Schrock’s ongoing column. See the original post here.
Success in today’s economy is built on the power of data. Data has dramatically changed how businesses innovate and drive disruption. Entire industries are shifting toward data-fueled digital services, such as evolving from car ownership to mobility as a service, or from insuring assets to ensuring behavioral outcomes.
As the reliance on data increases, companies that win the innovation battle will likely be the ones that leverage high-quality, secure data to deliver differentiated services and lead their respective markets.
But here’s the secret most companies fail to understand: Rapid and secure access to data is at the heart of every enterprise initiative. When security teams clamp down on access to data, they lose their capacity to innovate, which is a greater risk to the future success of the business.
Jedidiah Yueh wrote that in a world where every company is a data company, the fast eat the slow. In many ways, limiting innovation flow can pose a greater risk to the business than a data breach because in order to survive in today’s digital economy, liberating data to the right teams in a fast, secure way is essential to business survival. (Full disclosure: Jedidiah Yueh is the founder of Delphix.)
Why Data Privacy And Security Go Hand In Hand With Innovation
First, we must have a clear understanding of data security and data privacy. Data security is all about ensuring the right people have access to data and the wrong people don’t. Phishing, malware, hacking and social engineering are all very real threats. Good data security requires asking questions such as, "How are my teams patching their systems? How is data protected at rest and in transit?"
While data security is about protecting data from outsiders, data privacy has to do with governing how that data is collected, shared and used within an organization while achieving compliance with varying regulatory programs around the world. Because systems and humans are fallible, it’s critical to focus on the potential risk that may reside within your company, what an acceptable level of risk is in each environment and how to proactively mitigate that risk. Data privacy requires questions such as, "What data is being collected, and where is it going? What policies do we need to adhere to?"
Regulations attempt to enforce data privacy, but companies need to think about more than just adhering to the latest legislation. Companies must take a broad view of data privacy, starting with a clear understanding of what data is being gathered, how that information is being conveyed to customers and what controls they are given to manage the use of that data. From there, mitigating the breach risk of personally identifiable information and proprietary company information will be key as data flows across the company and out into third-party services. But, just as data touches almost every aspect of risk in modern business, it is also the backbone of innovation companywide.
Integrating Security Into Your Innovation Workflow
The proliferation of digital services that companies create and consume is vastly expanding the surface area of risk. It's no longer just a website that collects data, but a plethora of microservices, internet of things (IoT) devices, mobile devices and software as a service (SaaS) all working together. Oftentimes, the easiest solution is to simply lock down access to data, but this severely limits the company's ability to innovate in an era in which data is transforming every company as well as industries around the world.
A better solution is to map out the flow of critical enterprise data and get a better view of where data is coming from and where it’s going. That end-to-end view will help assess the risk within the data and manage risk to an acceptable level across different parts of the enterprise.
By far the biggest lever one can apply to mitigate risk is to mask sensitive data as it comes out of non-production environments. If credit card numbers and Social Security numbers simply don't exist in those non-production systems, the risk is massively reduced. Now the challenge is about finding a way to continuously deliver the de-identified data in non-production systems and manage change within that data, radically changing your risk profile.
In 2016, the SEC was subject to a data breach of its EDGAR filing system. This was supposed to be a test system, but it turns out that many companies were submitting real filing data as part of the test process. Threat actors allegedly gained access to one of these databases through a software vulnerability in the test filing component. The SEC didn't provide any information on which companies were affected by the breach or how extensive it was.
Test data needs to be realistic, but using production data puts companies at too great of a risk. The knee-jerk response is to beef up security or shut down access to the test database, but that would limit the ability of companies to move with velocity and confidence. A better approach would be to automatically classify the data within that database to lessen the ability to include sensitive information, masking data to preserve working with test data without compromising data privacy.
Which Is The Greater Risk: Security Or Lack Of Innovation?
It depends. Data breaches can cause you to lose customer loyalty and trust and suffer brand reputation and regulatory penalties that impact your ability to compete in the market and force you onto a path that is irreversible.
In any case, your company ends up being put on a path from which you can’t ever recover. Without continual innovation, you’ll eventually be driven out by your competition in today’s highly competitive world. Innovation tends to be a slower death, whereas the security blow knocks you out. Only mature data companies are able to navigate these nuances to effectively assess, mitigate and control data risk in a way that unlocks innovation while preserving customer trust and regulatory compliance.
Download the "5 Steps Towards Achieving Secure Data Flow" e-book to learn how to design security into key processes without slowing innovation down.