You’ve all heard the statistics about the growth of digital data:
2.5 quintillion bytes of data are created each day
90% of the world’s data was generated in just the past two years
The “global datasphere” will grow from 33 zettabytes in 2018 to 175 zettabytes by 2025; remember that a zettabyte is one billion terabytes, and each terabyte is equal to one million megabytes
There are a lot of reasons why we have so much data: more computing devices; tons of connected things; really inexpensive compute power and data storage; sophisticated data mining tools; cloud computing; massive regulatory footprints; tech-savvy users and employees; demanding data-retention policies, and more.
While this obviously creates big challenges for organizations, it also has resulted in fantastic business opportunities and new ways of serving businesses, consumers, communities, and societies in general. Without a doubt, nearly every company is now a data company.
American Airlines gave us a glimpse of this 30 years ago when it rolled out its revolutionary SABRE airline reservation system. American’s legendary CIO, Max Hopper, had the foresight to know that American had to be more than an airline; it had to be a company that used data for competitive advantage.
Today, many companies look and act in traditional manners but have transformed into data companies. Media outlets no longer just sell advertising; they sell access to buying intentions of their readers and visitors. Healthcare providers don’t just treat illnesses and make patients well; they develop insights on a treasure trove of data about everything from population health to the spread of infectious diseases. Retailers don’t just sell goods in stores; they collect, analyze, and share data on buyer behavior, preferences, and actions—even intelligence on merchandise theft.
A data revolution
But when every company becomes a data company, the stakes are raised—substantially—for protecting data against cyber risk.
The amount, diversity, and velocity of data have changed in revolutionary ways over my career. When I started in the information security space in the early 1990s, we only had to worry about the perimeter. We built a large electronic wall at the edge of the network, and eventually, that wall safely separated our data from the perils of the internet. We figuratively circled the wagons around our data, typically in a single headquarters facility where our data resided—in data centers, on local area networks, and on desktop computers. Security wasn’t necessarily easy, but it was relatively simple to plan for and implement.
But when Amazon Web Services was formed a decade ago, followed by other public cloud platforms, everything changed. Soon, it was acceptable, and even desirable, for us to use personal devices, web-based applications, cloud services, and unsecured networks to do our work. And since we were now doing work virtually around the clock, our organizations didn’t mind what they assumed to be a modestly upgraded set of cybersecurity threat vectors.
Now, we have to confront a difficult reality: Not only is our data at greater risk than ever, but the very viability of our organizations is under unprecedented attack.
The fortunes of shareholders, customers, trading partners, employees, and the entire connected business ecosystem hang in the balance if we don’t get this right. All companies now are data companies, and that means that all companies must rethink their cybersecurity strategy.
Why? And how?
Data silos everywhere
One of the most important things to realize is that we now have data silos everywhere. As those data silos have emerged and expanded, organizations have put in place a litany of security tools to deal with what they’ve believed to be unique security issues for each data silo.
Frankly, it has become a mess: Small organizations often have around 10 to 15 distinct security tools to monitor and manage, while it’s fairly typical for large enterprises to have 150 or more. Your InfoSec teams have to understand, manage, anticipate, and remediate cybersecurity problems for each of those data silos, using distinct and disparate tools.
What a morass this has become—especially when we add in all the cloud services our employees and users take advantage of, each with its own sets of data and its own security tools.
Of course, not every industry is in the same risky position when it comes to protecting their data and ensuring their viability as data companies. Technology-based companies are likely to be in the best position—even if they usually have the most data to content with—because they’ve seen the development of higher levels of risk up close.
Other industries that have been highly dependent on data—financial services, healthcare, and logistics, for instance—have already begun re-architecting their security frameworks.
Then there are industries where organizations are playing catch-up to their massive data growth and heightened security risks. Sadly, one of the most at-risk industries when it comes to ensuring their futures as data-driven organizations is government, a segment where the sophisticated and innovative use of data can have massive upsides for our societies. At the federal or national level, governments often understand the risk, but their bureaucracies impede their ability to address the problem in a timely manner. And local governments may be slightly nimbler, but they face a familiar problem: The lack of sufficient financial and personnel resources to suitably address the risks.
So, what should organizations do in order to properly secure their status as data companies?
First: Organizations should reimagine their cybersecurity defensive posture—perhaps radically so, if data is becoming a critical point of differentiation for your organization. Prevention controls must be deployed at every phase of the much-discussed intrusion kill chain. That’s become increasingly difficult with the expansion of data silos and new threat vectors that span far beyond the perimeter. That means a platform approach to securing all those “data lakes” that have evolved in recent years, where a common security framework is deployed in each and every data lake. It’s more efficient to manage, less expensive to procure, and faster to deploy.
Second: You need to move away from the multi-security-solution-vendor paradigm that has spread like kudzu over the years. Having a different vendor for dozens or even hundreds of point products for cybersecurity is a losing proposition.
Your InfoSec team has to be certified on dozens of vendors’ solutions and then retrained on a regular basis to maintain that certification. Plus, there’s the stark reality that having multiple vendors’ point products doesn’t promote redundancy and reinforcement; quite the contrary. Since those different vendors designed their solutions for specific problems, those products were never going to work seamlessly together.
Third: Business executives have to understand that, in order to become a data company, you actually have to store and have easy access to all that data. The good news is that, because data storage today is really cheap—both in your physical data centers and in the cloud—you have access to more data than ever. And powerful analytics tools allow you to find the needle in the haystack that can make the difference between really understanding your customers and guessing what they want.
But that puts the onus back on your CISO and the SecOps teams to reliably, efficiently, and affordably secure all that data. As we’ve often discussed on SecurityRoundtable.org, you don’t do that simply by hiring more security engineers, for several reasons.
One, there is a big and growing gap between security skills required and talent available. Two, the bad guys are using sophisticated machine learning tools to spot vulnerabilities and exploit them, and you need to counter software and automation with, well, software and automation.
So, as you plot your strategy to harness all that massive data in order to transform your company into a data company, don’t forget to reconstruct your cybersecurity strategy in lockstep. If you don’t, the possibility of drowning in your data lake may be the least of your problems.