Headline
Data Security Posture Management: Accelerating Time to Value
Data discovery and classification are foundational for data security, data governance, and data protection.
Todd Thiemann, Senior Analyst, Enterprise Strategy Group
September 23, 2024
3 Min Read
Source: Cagkan Sayin via Alamy Stock Photo
COMMENTARY
When it comes to your sensitive data, not knowing where your crown jewels are located and ensuring they are adequately secured can have catastrophic consequences. Data resilience is the subset of cyber resilience focused on an organization’s data assets. Security teams need a strategic approach to data resilience — understanding where their sensitive data stores are located and what’s inside — to effectively secure their data.
Data discovery and classification are foundational for data security, data governance, and data protection (backup and recovery). You can’t secure what you don’t know exists (discovery), and you need to know what is inside a data store (classification) to take appropriate action to mitigate your risk.
My latest Enterprise Strategy Group research, conducted with my colleague Jon Brown, explores how enterprises are ensuring data resilience, which is the intersection of data security posture management (DSPM), data security (hardening data with encryption, masking, etc.), data protection (backup and recovery), and data governance. We surveyed 370 IT and cybersecurity professionals from midmarket and enterprise companies about data resilience and DSPM. In the fast-evolving DSPM space, the research found that the first phase of a DSPM deployment to locate, categorize, and establish policies around sensitive data took less than six months for 76% of the respondents, with the largest cluster being four to six months for more than 40% of those responding.
DSPM vendors differentiate themselves on the time to value (TTV) for their offerings, and the different technologies probably have a significant impact on TTV. Implementing DSPM is like any other project in combining people, process, and technology. Much of the time required to operationalize a technology deployment comes from the people and process side of the equation. While the TTV varies, in talking to various chief information security officers (CISOs) and vendors, we found that the typical steps in a project are:
Align stakeholders and plan.
Identify exposed data stores and mitigate.
Identify data stores with critical data.
Classify data (cardholder data for PCI DSS, protected health information, personally identifiable information, information covered by GDPR) to your organization’s categories (public, internal, sensitive, restricted.
Identify/delegate data owners.
Identify users with access to sensitive/restricted data and validate access is needed (the stale access problem).
Restrict access to need to know, least privilege.
Identify misconfigurations and mitigate.
- Determine necessary security controls to protect data based on classification.
In speaking to both security leaders and DSPM vendors, the initial step of achieving stakeholder alignment and planning for the rollout is probably the most important to project success. Here are all the steps:
Engage key stakeholders: Start by aligning key stakeholders, such as GRC (governance, risk, and compliance), data teams, IT data protection, cloud architects, and security teams. Ensure that everyone understands the objectives, benefits, and their respective roles in the DSPM deployment process. Focus on the win-win.
Define goals, definitions, and metrics: Collaboratively establish the goals of the DSPM initiative, such as reducing data exposure, achieving compliance, improving overall data security posture, or facilitating generative AI deployment. Arrive at what data is sensitive to the business and data classification definitions. Agree on key performance indicators (KPIs) to measure progress and success. Planning upfront avoids or minimizes friction as the project progresses.
Secure executive buy-in: Present a clear case to constituents, highlighting the importance of DSPM in mitigating data risks, achieving regulatory compliance, and supporting business goals. Ensure top-down support for resource allocation and prioritization. DSPM has many constituents, and getting executive buy-in ensures adequate resourcing and team responsiveness.
Assign roles and responsibilities: Clearly define the responsibilities of each team. For example, GRC will focus on compliance and policy alignment, data teams will manage data classification and ownership, and security teams will oversee the implementation of security controls and monitoring.
Getting off on the right foot and achieving alignment at project inception will increase your chances of overall DSPM project success.
Don’t miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!
About the Author
Senior Analyst, Enterprise Strategy Group
Todd Thiemann is a senior analyst at the Enterprise Strategy Group, researching data security and identity and access management (IAM). He is an information security veteran with more than a decade of information security experience across a range of subjects including encryption, key management, IAM/authentication, identity security, and security operations at leading cybersecurity companies including Arctic Wolf Networks, Trend Micro, Vormetric/Thales, and Nok Nok Labs. He graduated from Georgetown University with a bachelor of science degree, and earned an MBA from the Anderson School at UCLA. He enjoys cybersecurity because it is ever-changing and continually challenges us to simply explain things while not losing essential nuance.