The various legislation andindustry standardsthat require
businesses to protect sensitive data may drive us all a little nuts
- the extra expense, investing the time to understand the new
rules, business disruptions during the deployment process,
etc.
However, data protection legislation such as
PCI DSS is positive, and implementing good security guidelines
will help any business reduce the opportunities for a criminal to
conduct a successful hack attack, writes Gordon Rapkin, CEO of
Protegrity.
Unfortunately, simple compliance with data protection
regulations is never enough to truly protect captured, transmitted
and stored data adequately. Businesses which are focused solely on
achieving compliance may decide not to deploy the more
sophisticated schemes that would make their systems truly
secure.
Many regulatory data protection guidelines are basic best
practices, no more and no less. Many organisations make the huge
error of reacting - designing their security and compliance issues
solely in response to breaches or regulatory demands. True security
is proactive.
Reactive responses tend to result in disparate data security and
privacy projects which leave substantial security holes as data
moves among (or is shared by) multiple platforms and applications.
Failing to treat the protection of confidential data as an
enterprise-wide, proactive strategy produces needlessly high costs
and less-than-optimum security.
To get the best return on a security investment, businesses
should be thinking of data security management as an ongoing
enterprise-wide strategy. Security is a process, not a project.
Focus on developing strong defences against agreed-on risk analyses
and threat profiles, rather than on meeting the demands of specific
regulations.
True security should be holistic - a comprehensive data-driven
plan that includes technology, policy, processes and people. Data
flows through a company, into and out of numerous applications and
systems. This flow, in its entirety, is the focus of a holistic
approach to data security. Think of your network as a municipal
transport system. The system is not just about the station
platforms. The tracks, trains, switches and passengers are equally
critical components. Many companies approach security as if they
are trying to protect the station platforms, and by focusing on
this single detail they lose sight of the importance of securing
the flow of information.
Simply following the letter of the law ensures that your
organisation may technically be in compliance, but actually not
very secure. Security measures that aren't understood and fully
embraced across the entire enterprise can, and will, be
circumvented. As you plan, implement or refine your data protection
plans don't stint on ensuring that employees understand the
importance of keeping customer information secure and
protected.
We can't rely on applications to do all the work for us and we
can't just throw money at the data security technologies and hope
risks will go away. Smart policies, procedures and people are just
as important as choosing the right security solutions. This
holistic approach to security is far more powerful than the
fragmented practices present at too many companies.
Focusing on developing a comprehensive data-driven holistic
protection plan rather than continually struggling to achieve
compliance with current regulations allows you to think
strategically, act deliberately and get the absolute best return on
your data security investment.
>>
Computer Weekly Infosecurity 2008 show guide and preview