Safely beyond the firewall
data security through maturity in people, process and technology

In today’s digital world, data security is an indispensable aspect for virtually every organization. Ask yourself this question: if my customers’ data ends up on the street, what will it do to my reputation? Will competitors be able to make use of my information? Or what if the data breach stays internal, but accidentally opens up payroll, HR files or chats too widely internally?

Many organizations, meanwhile, are making good strides when it comes to keeping hackers out, detecting malware quickly and training users on how to recognize phishing mail. But when it comes to working safely with data, we do not yet see the same dedication and existing measures are often inadequate. And that while in recent years there has been an increase in the use of cloud services, mobile devices and IoT (Internet of Things). Én then, the work-from-home culture is now also well established. With all these developments, it is not surprising that protecting sensitive data has become a complex challenge.

It’s useful to take an independent look at the yardstick and determine where you stand. Not just in terms of the technology you use to keep your business secure, but equally in terms of the robustness and reliability of process and people. In this blog, we look at our Data Security Maturity Model and discuss how you can grow as an organization in terms of operational risk management.

The maturity of your risk management

To determine the maturity of your risk management and data security, we distinguish between different levels. Each with their own characteristics and objectives.

Level 0: Reactive

• Data security is considered a reactive measure, responding to incidents only after they occur.
• There is no structured security policy and the focus is on troubleshooting after theft, leaks or errors.
• There is no learning capability in the organization and a risk will not be resolved. As a result, a similar incident in the short term remains plausible.
  
  

Level 1: Basic security

• It starts by implementing basic security measures such as encryption and segmenting corporate data based on employee roles and permissions.
• There is no structured approach yet, but the modus operandi can be characterized as “reactive by others. This is the kind of organization that after news of a major ransomware attack, or cyber threat, decides “we have to do something about it.
  
  

Level 2: Structured policies

• Organizations develop structured security policies and procedures. Policies are derived from the risk the organization faces and/or laws and regulations that must be met.
• The focus is on identifying and classifying sensitive data, as well as implementing access control and compliance guidelines.
• When changes occur, such as new products, services or suppliers, they are reviewed against the existing policy. The policy itself is also reviewed with some regularity.
• Awareness is part of the organization and occurs at entry, movement and departure.
  

Level 3: Proactive security

• Proactive measures are taken to identify and prevent potential threats. The ‘trust but verify’ principle is applied and data access and storage are controlled across the entire organization. Assurance documentation must be provided by chain suppliers and both structured and occasional internal and external audits take place.

• It uses advanced security technologies, such as behavioral analysis on endpoints and people, and brings in threat intel. The goal of this is to detect and mitigate threats in real time, as well as to be policy-driven.
• Access to data, for human, machine and application is based on “conditional access”: not meeting the requirements is automatically no access.
• Awareness builds on and fits the risk profile of the position. A Director of Finance traveling to China gets tailored advice on dealing with data unlike the janitor.
  

Level 4: Advanced security and continuous compliance

• At the highest level of the model, organizations have implemented an advanced security infrastructure that meets stringent compliance requirements. Data security is a core competency of the organization and people are actively developing and applying the latest technologies.
• There is continuous evaluation and improvement of security measures to keep anticipating new threats and regulations. If a person, department, process or piece of technology is “non-compliant” we see a (near) real-time response.
• Awareness is person-centric and also leans on environmental factors and threat intel. When we see increased amounts of spearphishing, are aware of a blackmailable position or know that the person plays a key role in an important M&A trajectory we respond by warning of a BEC (business email compromise), for example.
  
  

I know where I stand, but where should I aim next?

As a stakeholder or person responsible on the topic of data security, you are no doubt aware that this is one of the trickiest things to get right in terms of security. In a modern organization, seamless collaboration is the norm, and things like mandatory labeling, device restrictions, segregating storage and limiting access create delay and irritation for the end user or developer.

It is therefore very important that you align the level of data security with the risk profile of your organization, but also with the character of your organization and its people. Don’t have support from management for strong policies? Then start by conveying a sense of urgency. This can be done by emphasizing potential loss, but also by highlighting the benefits of certification, for example.

Top-down, too, there are often challenges. When the application of data classification becomes a requirement, for example from a standardization, this has major consequences for the existing workflow. Especially if this means that labels have to be assigned manually. If these employees do not see the usefulness and necessity of it and experience insufficient technical support, this results in poor adoption.

So our motto is: aim for a maturity level that is needed, that you can justify and that suits you and your people. Are you not there yet on any of the points? Take that into your journey, from pitch to implementation, and make sure those weaknesses are addressed before you go full speed ahead. Purchasing good technology without motivated colleagues is a waste of money. Equally motivated colleagues who are not facilitated with the right processes and progressive technology quickly lose their enthusiasm.

Know your weaknesses as well as your strengths. Don’t hesitate to bring in external help to get you started. If you score well on 2/3 of people, process and technology, you are almost there!