Back when travel didn’t require a mask, I had an insightful discussion with a CISO over a beer on an airplane. I was excited to get my upgrade into first class, and the gentleman next to me turned out to be a CISO at a large chain of stores. When we each requested a beer, I asked one of my favorite questions:
“What keeps you up at night?” Without hesitation he answered, “the media.” I replied, “I assume you mean negative press of some sort?” “Yes, my CEO loves to be in the spotlight, and that’s fine if he’s talking about our latest innovation, but if something bad happens, well, I just don’t believe that line about any press is good press,” he said. “May I ask, what exactly are you worried about when you say something bad happening?” I replied. “I wish I knew,” he said as he took a long sip of his beer, “I’ve got a great team, and we’ve implemented a host of different security processes and tools, but I constantly have this feeling that someone will manage to steal something important and use it in a way that will show just what I’ve been missing despite all my efforts in the last year.”
As we talked, it was clear this young CISO (it turns out he has been in this specific security role for only about a year) was still struggling to overcome one of the first critical aspects of data security: what data do I have that matters? While he knew that he had to protect his customer’s credit card data, he was not sure what other data about his customers, and even his employees, he needed to protect. Unfortunately the flight was barely long enough to offer us that one beer, so I didn’t have the opportunity to dig into his specific data concerns, even if such a conversation would have been appropriate on a plane with someone I just met and others within earshot.
However, I did at least get to review with him a quick overview of where to start. First, to complete the question we had already: Define specifically what data to protect. Once you know what to protect, you need to prioritize or classify that data so you know how to properly secure it. Next, we discussed how to map out where the data is within his environment and how it moves around in and out of his infrastructure. As we began to descend for landing, we ran out of time to discuss additional stages such as regular assessments and how to minimize risk through reducing the scope of data handling and access to sensitive data.
Thankfully, we were able to connect again later, and as things turned out, he had several good tools and procedures in place. One major aspect he was missing was a holistic approach to protect all his data while leveraging both his security tools and his newer cloud infrastructure. As I helped him learn to leverage a single data protection platform, we were able to address multiple compliance standards and privacy regulations and improve his overall security posture in a way that allowed him complete control over all his sensitive data.
There are always new challenges this CISO will face, but he tells me he sleeps better at night, and he thanks me that he’s been able to stay out of the media for the right reasons. If you want to explore how your organization can benefit from a data protection platform, contact us, we’d love to help you sleep better at night!