CISO and CDO Meeting of the Minds: Data Security is Key to Digital Transformation

By Special Guest
David Greene, CRO, Fortanix
  |  July 22, 2020

In most industries, businesses are evaluating and kicking off digital transformation initiatives to see how they might gain competitive advantage, improve customer experience, and increase profitability. In many cases, technology can be used in digital transformation to create new business models, digitize records, or leverage machine learning and artificial intelligence to improve results. Across all industries, data is the focal point of digital transformation and securing it is paramount to the success of digital transformation projects.

Major trends, including public cloud migration, the rise in Software as a Service (SaaS (News - Alert)) application delivery, the increasing cost of data breaches, proliferating privacy regulations, and the importance of data analytics all rely on data security as an increasingly critical component of their success. While most cybersecurity programs rightfully focus on risk reduction, CISOs and information security leaders are beginning to realize a new opportunity to unlock the business potential of data. With the emergence of the Chief Data Officer (CDO) at many organizations, there is an increasing understanding about the benefits of commercializing or monetizing business data, much of which is sensitive. In this new era of digital transformation, the CISO and information security organization can become an important enabling resource when implementing security analytics programs and sharing this information for initiatives led by the CDO.

With a focus on monetizing data, technologies such as machine learning, artificial intelligence, big data, and analytics create the ability to share data, yielding potential benefits such as discovering drugs that cure diseases, eliminating financial fraud, and unlocking business insights that transform industries. But, hospitals, financial institutions, and other organizations are correctly prohibited by privacy regulations from sharing this potentially powerful data because it is sensitive and private. However, advances in encryption, trusted execution environments (TEEs) and analytics now make it possible to protect privacy while sharing private data, unlocking and advancing new learning and data-driven business opportunities. Privacy preserving analytics can be applied in cases where multiple parties have private data that needs to be combined and analyzed without exposing the underlying data or machine learning models to the other parties.

Protecting private data and reducing business risk should be the primary objectives of digital security transformation programs. The first step in this process is to document business risks using a process that identifies threats, assigns a probability of the threat happening, and estimates the impact of the risk if it does happen. Documented risks can then be prioritized based on the probability they might occur and their estimated impact.

After the business risk assessment is complete, an organization should classify its data according to the business risk before determining security controls and policies needed to protect that data. Data classification in an organization often involves four levels – public, internal, confidential, and restricted data. Once data is classified to a certain level, the organization can determine access controls and policies required to keep the data safe.

The next step in this process is actually creating the policies and security controls for accessing data as determined by the established data classification levels. For example, personally identifiable information (PII) is likely classified as “restricted” data. This data, in most cases, would need to be encrypted throughout its data lifecycle, labeled as PII, accessible only to the applications and users that require access, and never transmitted outside the organization through email. Preventative security controls could include technologies such as encryption or tokenization of PII. Detection-based technologies can monitor for unauthorized access to the data or encryption keys leading to remediation of the threat, which might be automatically revoking an encryption key. Predictive technologies can also analyze audit logs and risk assessment to determine gaps in policies or controls.

Businesses are re-inventing themselves through digital transformation initiatives. It is important for information security organizations to become more strategic to the business by aligning to business goals and enabling the business to leverage and benefit from security and private data. Major trends including migration to public cloud, the expansion of Software as a Service (SaaS) application delivery, the increasing cost of data breaches, proliferating privacy regulations, and the importance of data analytics require that data security be at the top of every CISO’s priority list.

CISOs should begin by leading a transformation of their data security program that puts in place a strategic approach to mitigating risk and aligning with business objectives. Then, information security organizations should implement data security controls designed to prevent, detect, respond to, and predict threats. As organizations place a higher priority on monetizing data analytics and sharing, CISOs should look for opportunities to help CDOs remove regulatory, privacy and security obstacles using technologies such as privacy preserving analytics in order to advance the organization through leveraging data.

About the author: David Greene is Chief Revenue Officer at Fortanix. He is a proven business leader with the expertise to drive growth and the energy to get teams excited about the journey.  Over 20+ years of executive and hands-on experience in sales, marketing, general management, and operations at companies of all sizes and stages.  Deep experience with enterprise and service provider customers involved with cloud, security, SaaS, IT automation, DevOps, and other technologies.




Edited by Erik Linask