Can easy and simple be better for data security?

2020-08-28_13-55-29

How much should you compromise between doing what’s best versus what’s quick and easy? I can hear my father “if you’re going to do something, then do it right the first time.” For difficult and complex IT projects related to enterprise data security, doing it right in today’s world where value and speed are key driving forces might seem impossible. The constant pressure to do more with less and the demand for more automation, push people to take the ‘easy route’.

Taking shortcuts is acceptable if you’ve done some risk analysis and accepted the consequences on you, your team, and your enterprise. When it comes to securing enterprise data, especially sensitive data, is it acceptable to take shortcuts to keep costs down? Let’s think first about unintended outcomes:

For the end users who consume the data either directly or through an application, what’s best in terms of security often requires the contribution of a broader group of people, each having a part in the process to ensure that ‘all bases are covered’.

So, who’s responsible to ensure that the best possible security is deployed? Who owns setting up and maintaining the infrastructure and the security policies that deliver the best way to use and protect data? Does the task fall on the CISO, the CEO, the CFO, the database administrator, the application manager, the product manager, or the engineers? Does it fall on the end user, via awareness? Answers are never straight forward. Regulations and industry standards have attempted to provide standardized, reusable guidelines. But broad-based understanding at the business level of what needs to be done to protect data is still a labor of Sisyphus. Security should not be viewed as a typical IT project, it’s a practice. You can always get better at it, but you’re never done.

Where is relates to enterprise data security, taking the easy path, such as simply copying and sharing data, is devastating. It is a necessity to commit the extra time and resources to think through how control over this data be preserved. The final outcome should be aligned with the goals of the business. Allow access to only the data needed to complete your job, as it furthers the goals of the business.