When Is Data an Asset and When Is It a Liability?
We're seeing increasing risks when it comes to organizations holding data. It's not just from cyberattacks either. A complex patchwork of laws and regulations put additional risk of fines and other penalties on otherwise data hungry organizations. So what framework should organizations use to determine when holding data has an actual benefit to the business or when it becomes a risky liability?
Check out these posts for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Geoff Belknap , CISO, LinkedIn . Joining us is Mario Trujillo, staff attorney, Electronic Frontier Foundation (EFF) .
Information as an asset can carry a lot of baggage
When we characterize information assets, organizations often think of how it benefits the business to hold it. But just like physical assets, holding onto information comes with cost and risks. "CISOs need to share three aspects of data collection to business units: financial impact, modern business strategy, and administrative burden. Modern businesses are also considering “asset-light” as a strategy to be more agile and competitive,” said Aldo Febro, PhD , CISO and privacy officer, Continuant . The costs of holding data becomes starkly apparent when a breach occurs. Vaughan Shanks of Cydarm Technologies points out that businesses need to understand these risks before collecting data, saying, "Organizations need to decide where we want to be on the brand trust spectrum between data exploitation and respect for privacy, and what risks we are willing to accept in the event of a breach.”
Connecting the dots for the business
If you want to effectively manage the risk that holding data poses, you’ve got to get buy-in from the rest of the business. "I’ve had some success promoting Privacy Impact Assessments. Get a line of business management to buy into reducing the exposure early. It helps when your colleagues already regard the data as having an element of liability," said Duane Gran of Converge Technology Solutions Corp. Another important consideration is that not all data should be treated equally. Shantanu Bhattacharya of Siometrix advocated for clear data categories, saying, "Use four categories: essential for providing services, essential for compliance, desirable to derive interesting insights and others. First two categories need to be captured more often than not. The third category should be captured based on cost benefit analysis."
Push data collection conversations upstream
Changing the thought process around data collection can meet resistance. It can be hard to shake the “data is the new oil” mentality. "Minimizing data collection upfront can be a hard sell. Understanding uses of data is usually a day two exercise that generally requires storing the user info somewhere as an interim step,” said Yasir Ali of Polymer Data Security . Your business can be so preoccupied with whether or not they can collect data, they don’t stop to think if they should. "Too often, we collect data because we can. When cyber programs first integrated SIEM tooling, and we grabbed any data we could because we might have a need later. It wasn't until vendors started charging per GB that we began purpose-driven collection requirements," said Rob Oden of Roblox .
Humanizing data collection
When we categorize data as an asset, we can forget that it’s often tied back into real people. When it becomes too abstracted, ethical considerations go out the window. "We need to weave data ethics into privacy conversations, and recognize the real humans the data represents. If you can't protect it, don't collect it," said Neal O'Farrell of Brainisphere. Paul Culligan of Data Defense Solutions called for more regulation to give security teams a stronger voice with data handling, saying, “Without restrictions, most orgs will keep more data with the thinking that they can monetize it in the future. That's not a battle that security teams will win internally."
Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now. Thanks to Material Security .
Huge thanks to our sponsor, Material Security
Join us TOMORROW, Friday, 02-23-24, for Super Cyber GAME SHOW Friday
We're going to have a return of Super Cyber GAME SHOW Friday this Friday, February 23rd, 2024. Come join CISO Series and watch the competitors go at it.
From The Weather Company , we’ll have brand new CISO Jonathan Waldrop and his coworker Jason L. They’ll be battling against Howard Holton , CTO of GigaOm and his teammate Alex Wood , CISO of Uplight .
Who will emerge victorious?
Participate in the games and stick around for our meetup at the end.
It all starts at 1 PM ET/10 AM PT. And at the end of the hour, we'll have our meetup. BE THERE!
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino . We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Thom Langford , CISO, Velonetic. Thanks to Conveyor .
Recommended by LinkedIn
Thanks to our Cyber Security Headlines sponsor, Conveyor
OPEN AUDITION! Looking for Next Hosts on CISO Series
Your favorite hosts of CISO Series shows are not going anywhere.
BUT, we’re developing a new show and we’re looking for your NEXT favorite CISO Series hosts.
And we’re looking for a pair of them, possibly two pairs!
Submit a recording to be CISO Series hosts
Go to the blog post on details on how to deliver the IDEAL submission.
Jump in on these conversations
"Has anyone been interrogated by the CIA or FBI for reporting cyber crime, if so what happened?" (More here)
"Is there a demand for endpoint protection tools among non-business users?" (More here)
"Which windows security event ID’s do you closely monitor in your SIEM?" (More here)
Coming up in the weeks ahead on Super Cyber Friday we have:
Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.
Director, Sales and Strategic Partnerships
10moI keep hearing #CISO leaders talking about #dataprivacy, and without overtly saying it, the core principle being discussed here is data stewardship and #dataminimization. This is a great discussion about the importance of #dataprivacy #datasecurity #dataprotection #datarisk and #datastorage, and all its legal, ethical, and reputational implications. Data privacy isn't going away. CISOs are often also Data Privacy Officers, but that's not always the case. #datamanagement is a team effort.
Director, Sales and Strategic Partnerships
10moGeoff Belknap is the coolest CISO ever. Always glad to hear his contribution when he's on CISO Series. (Now it's THREE comments/emails!)
Founder/Product | AI/ML, Data Analytics
10moInteresting topic David Spark. In one dimension, data is an asset and a liability, depending on the type or classification. However, it's also a moat. When taking a picture using smartphones (collection) and syncing to cloud drives (storage) was cheap (free initially), consumers took thousands of photos. Those pictures were used to train AI models. Now, with regulations in place, companies started charging for storage that was offered free initially. Now those companies have a moat. Customers who can't move GBs of data to other providers end up paying whatever the company charges.
Microsoft Cloud Security Coach | Helping SMBs Grow by Enabling Business-Driven Cybersecurity | Fractional vCISO & Cyber Advisory Services | Empowering Secure Growth Through Risk Management
10moGreat points David Spark Geoff Belknap