Advantages of Data-Focused Risk Assessments

February 2, 2010 by ADMIN

Share |

By Danny Lieberman, Security Expert and Founder of Software Associates

At a meeting with one of our clients recently– the question of business case for data loss prevention came up quite strongly.

It started with the client saying that they were hearing that while vendors like Symantec and Websense were getting a lot of customers to buy their DLP products – many of these customers were failing at their attempt to implement DLP.

The detailed reasons why people fail at DLP implementations merits a separate post – but it’s a lot like why over 50% of the content management implementation from vendors like Vignette never made it to production in the 90s – the root cause was that there was no real business case for the technology.

I want to talk about why building a business case for Data security is critical to the success of your data security/data loss prevention/fraud prevention project.

If you run a business or business unit – you must ask yourself two questions: Is data security a major operational risk for your business? Could be.

Unlike a computer virus – internally launched attacks on data that result in data leaks, breach of integrity, loss of data availability and non-compliance are your problem, not someone elses.

Unlike business processes – data risk cannot be outsourced.

Unlike balance sheet assets – companies don’t know their current financial exposure to data security threats.

The next question is should you invest in DLP technologies?

Any one with only a nickel in their pocket (and in this market – that’s a lot of companies…) will say, “Why should we when we don’t know the return on investment?

In order to answer your questions, you must measure your value at risk using a data security based risk assessment.

This is a simple, almost obvious notion – you measure risk of asbestos poisoning by checking your building insulation and you measure risk of fire damage by checking the building itself and various policies, procedures and equipment related to fire prevention.

Think about smoke detectors. You can’t put up an office building without smoke detectors (in Israel – the regulator has set a minimum density per square meter and the prices are low enough that the contractors will basically put in as many as you want). Why would you think of managing your data without the comparable data breach security monitoring equipment?

Data security based risk assessment uses DLP technology (the test equipment) and a best practices analytical risk model to measure the value of your data and your value at risk. Within a couple weeks, you should be able to get a picture of your current data security events, know your data value at risk in Euro and build a prioritized program for cost-effective data security controls in the people, process and technology planes.

What you do then – is up to you.

Most companies I know in Europe and Israel are not at a sufficient level of security maturity to do this kind of thing themselves – and will need an independent consultant – one with specific domain expertise in their industry vertical, specific data security expertise and ability to do analytical threat modeling – installing Checkpoint firewalls doesn’t count and you really want someone who is vendor neutral.

Advantages of a data security-focused risk assessment

Invaluable tool for obtaining visibility of inbound and outbound business transactions.
Monitoring that provides input into the risk analysis process required by compliance regulation like SOX, PCI DSS and European privacy laws.
Lays the basis for provable compliance to standards like PCI DSS 1.2 and ISO 27001/2/4.

* * *

Stay Informed With ISR News Alerts:

* * *

Danny Lieberman is a serial technology innovator and leader – implementing ideas from brain to business. Danny has a graduate degree in solid state physics and has spent most of his adult life developing software. Since 2003 – Danny has been doing data security consulting and data protection/information assurance projects using data loss prevention /extrusion prevention technology.

Software Associates provides enterprise information protection to clients in Europe and the Middle East. His latest venture is MedRep, a professional network for medical representatives and doctors. Feel free to text Danny at any time of day at: +972 54 447 1114 - he is always looking for interesting projects and ideas.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.