Protecting the crown jewels with clear thinking and a little help from your friends
I see a transformation in modern security practice. There is a new appreciation for the primacy of data. Certainly the financial institutions are forward thinkers in this regard, along with insurance companies and most of the heavily regulated industries and some retailers. Apart from those folks, however, I think there is a lot of awareness about the bad things that can happen. Many purchase decisions today, however show signs that the tail is wagging the dog – so many vendors are pushing data loss prevention solutions, then it MUST be a badwagon I should jump on. If I don’t, I might end up on the front page next to TJX.
A CISO at a Fortune 500 telecommunications company in the US said his organization is improving three classes of security activity: prevention, detection and corrective action. In a phone conversation he reminded me that a few years ago, data classification was all the rage. But the point was well taken, he said. We all needed to step back and say "wait a minute. What are we really trying to protect here?" One key to success he discovered was asking his legal department for help. "Take a look at the records retention guidelines that legal departments crank out. You’ll find an excellent starting point for identifying the most important information in your organization." It is just a start, but it’s better than most IT security folks can do by themselves.