We tend to associate “cybersecurity” in the modern enterprise with a set of tools and measures that essentially protect the “perimeter” of the organization and the “containers” in which corporate data is stored: firewalls, encryption, anti-virus and malware, web proxies, network and packet monitoring, password management, network and application privileges, multi-factor authentication, etc. 

Related activities to test and protect an organization include penetration testing, security audits, risk assessments, and “tabletop” exercises.  At the end of the day, all of these tools and methods seek to protect the corporation’s main underlying asset – its data. This data may include current and historical records of the corporation’s operations and business processes, intellectual property, and customer and employee information. 

The mission to protect this confidential information leads to an inevitable conclusion: better management of that underlying data is a powerful tool for cybersecurity.  And to borrow a quote wrongly attributed to Peter Drucker: “What gets measured gets managed.” 

By leveraging technologies and techniques specific to that underlying content, corporations can understand “what’s there” and then manage it, protecting it from cyber risk in the process. 

Ways to Apply Governance Techniques to Manage Cyber Risk

The manner that these risks are mitigated can be broadly defined as follows:

  • Moving information from unknown locations and purposes into known and managed locations.
  • Creating a comprehensive, “evergreen” catalogue of information assets and applications across departments, lines of business, geographical regions, operating companies, and third parties.
  • Defensibly disposing of information that is no longer needed for operational, legal, regulatory, or other purposes, including business records that are subject to retention schedules. If it’s not there, it can’t be compromised! 
  • Gain control over “neglected” categories of data that may pose a security risk, such as:
    • Former employee information – while departing employee hard drives may be wiped per procedure, a significant amount of former employee information may persist in terms of forwarded data, shared folders, email, and other unmanaged media.
    • Legacy systems that may be relatively unsupported but maintained for reference after a migration
    • Intermediate data repositories from conversions, migrations, testbed environments, development projects, etc.
    • File transfer operations that leave unmanaged artifacts in staging areas
    • Transaction logs and database dumps
    • Extracts from enterprise system stored in user areas of the network (for example, analysis spreadsheets derived from human resources or accounting systems)
    • Data warehouses or lakes
    • Data inherited through mergers and acquisitions
    • Old log files and backups that have long since expired.
  • Classifying information by sensitivity and function (e.g., “public”, “confidential”, “crown jewels”, etc.).
  • Effectively manage data held by third parties. Considering the outsourcing of data management away from company control over the last ten years, companies are subject to the security policies of the hosting provider.  Companies must apply the same governance and information management controls and minimization practices to hosted data as to on-premises data, especially in that they may lack control over the third party’s cyber practices.
  • Identifying confidential and sensitive data, including personal information and intellectual property, and moving it to secure locations.
  • Implement actionable retention procedures that are aligned with schedules and policies. As we have seen for the last twenty years, it is far more difficult to dispose of electronic business records at the end of retention period, and just as hard to eliminate non-business records such as convenience information.  All can pose a security risk.  Businesses can do far more to assist users in classifying certain emails that contain business records and moving them to managed locations.  Further, corporations can recognize the trend away from departmental retention schedules, moving to simplified functional schedules that enable individual users to better manage his or her information and dispose of unneeded records safely.
  • Aligning policies and procedures with the above practices and enforcing them for consistency. For example, if mail items are removed from the server every 90 days, there shouldn’t be system backups keeping the information for two years.
  • Creating a governance structure that promotes centralized oversight of all corporate data and brings together all the different “siloed” constituencies and stakeholders in the organization, including records management, compliance and privacy, security, information technology, legal, and the various administrative departments and business units.
  • Responding to regulatory obligations around privacy such as GDPR and CCPA/CPRA can also assist in managing cyber-risk. The very purpose of these burgeoning regulatory frameworks is to ensure that sensitive data around persons, residents, consumers, families, etc., is safeguarded.  In order to respond to a data subject access request (DSAR) or other compliance obligation, many activities must be performed that promote cyber-awareness, such creating a data and workflow inventory, appointing a data protection officer, creating impact assessments and record-of-processing registers, and understanding roles of data processors and controllers.
  • In the unfortunate event of a breach, providing a means to analyze content to understand the impact of what was compromised and the resultant notification and response requirements.

Technology that Can Help Get the House in Order

Note that the tools to foster an “information-governed” organization and enforce cybersecurity strategies are themselves converging.  No better is represented than in the Microsoft 365 environment, where a common set of tools act on data stored in the Azure cloud to enable investigation, compliance management, eDiscovery, retention, data loss prevention, and other security controls.

In general, however, a wide variety of software tools have entered the marketplace that bridge the gap between governance and security.  These include tools build inventories of data and applications (both on-premises and in the cloud) and created a shared catalogue. 

Note that while existing inventories can be used as starting points, an effective data inventory still requires interaction with the users at a business, departmental, and workgroup level to understand the true nature of the systems used “in the trenches” to get the work done (including “shadow IT”).  And because users are inherently fallible as to where data lives in the system, a collection of data discovery has evolved that enable corporations to locate and remediate unknown or unmanaged data inside the firewall, including unmanaged locations such as email, collaboration systems, home and shared directories, and endpoints. 

Finally, policy management software can assist in monitoring activities going forward, helping to put enforce the new policies, as well as keep data classified, minimized, protected, stored in the appropriate locations, and known to the organization.  This “governed” environment provides the necessary “connective tissue” to the cybersecurity program.