In our digital-first economy, data is the new currency—and it is growing in value for organisations, their customers and threat actors. The ongoing processes of the digitisation and the commercialisation of data are also receiving increased attention from regulators, who are pushing for more privacy protections. Data protection is a concern for CISOs and boards of directors across the globe, so creating a robust data governance program has become a top priority for everyone.
The world has changed. Data governance and protection must take corresponding evolutionary steps. In the old world, protecting information was straightforward since information resided in the data centres we controlled alone. In this new "everywhere and anywhere" world—where data can be in public clouds, SaaS apps, on-premises, or anywhere else—data visibility creates novel problems. Organisations must address a separate set of challenges and ask new questions as they think through their data governance approach.
Grappling with broader enterprise risks
The decentralised workforce also accelerates people-centric risks, making data protection much more difficult. In 2022, the global average total cost of a data breach reached an all-time high of $4.35 million, according to IBM Security's Cost of a Data Breach Report. According to the report, remote work is partly responsible for rising costs. The report found a "strong correlation" between remote work and the cost of data breaches. Breaches, where remote work was a factor, cost $1 million more on average.
Customer personally identifiable information (PII) is the most-costly type of record compromised in a data breach. And this data is valuable to threat actors for financial theft, fraud, and other cybercrimes, which means threats will continue to target this type of data and regulators will continue to dial up the pressure on organisations to protect it better.
The ever-expanding regulatory regime is one factor driving up the costs of data breaches and the need for better data governance. In the U.S., for example, 39 states have considered consumer privacy laws since 2018 and five have enacted them, according to the International Association of Privacy Professionals (IAPP). As the IAPP noted, "state-level momentum for comprehensive privacy bills is at an all-time high."
A robust data governance program must acknowledge this changing environment and consider its implications while answering core questions, such as:
- Where is your data stored?
- Is your data protected or regulated?
- How is that data used (who has access to it)?
- How is that data protected?
Steps for developing a data governance program
The biggest challenge for many organisations is understanding where all their data resides and how to get visibility across their entire ecosystem. Data retention is another area of struggle and regulatory tension, especially since every regulation has different requirements. Taking a phased, layered control approach to data governance will help you address these challenges and answer the core questions we are considering.
A layered approach enables you to advance from developing and defining your data governance program to maintaining and optimising it. Discovery, the first phase in this approach, involves establishing the initial control. This is where you go through steps such as qualifying the laws and regulations that apply to your organisation, defining your data protection strategy based on data lifecycles, identifying the highest-risk users, discovering your digital footprint, setting up global inventory, and indexing the data.
In the second phase (detection), you're developing control capabilities by gaining context for all your user activity, intent, and access; identifying compromised accounts and phished users; and classifying sensitive or regulated data. You're also taking steps to track incidents and collect and capture data from all your sources.
And finally, the last phase (enforcement) is about growing full control capabilities, such as removing data from untrusted locations, providing a secure and compliant third-party exchange, enforcing data boundary protections, implementing full compliance supervision, and so forth.
By breaking down all the big questions into smaller, actionable steps, you're creating a programmatic approach that helps you protect data based on your highest risks and gives you the best return on investment. It's important to continuously assess the effectiveness of your program and optimise it. Your environment is dynamic and threat tactics change constantly.
Focus on human-activated threats
Although the enterprise landscape changes rapidly, people stay at the core of data protection. The human element is involved in 82% of data breaches, according to Verizon's Data Breach Investigations Report. From phishing and stolen credentials to human error, your employees and other insiders represent your highest risk.
Threat actors will continue finding creative ways to steal and monetise your data. Protecting data in a people-centric threat environment requires people-centric data governance controls. Creating a strong people-centric framework for your data governance program will better prepare you for whatever challenges come next—and in a better position to protect your most valuable currency.
Visit the CISO Hub today and check back regularly for new updates. Also, feel free to look at our online resources for CISOs on our Trust site to learn more about how we handle data and make commitments to privacy and other regulations.