Hopefully you saw my recent post “Data is the hot potato!” and data minimization lessons from the FTC’s Drizly case and it reinforced in your mind just how important it is to focus on the data when we are talking about cyber and privacy risk management. If it didn’t, that’s ok, here’s another reminder.
My friend Steve Anderson just shared this article on LinkedIn that serves as another great reminder: The Future Of Data Security At The Board Level: Insights From The Twitter Whistleblower Testimony In this article, the author explains that he has been watching the Twitter Whistleblower Testimony and there is a couple of simple questions that Boards will likely focus on that are quite challenging to actually answer. Here you go:
“First, they don’t know what data they have, where it lives or where it came from.”
Hearing the problem of data visibility stated so simply, it’s hard to believe that organizations won’t have answers to the same questions on what data they have, where it lives and where it comes from. The truth is that these are hard questions to answer without specific investments having been made into technologies and processes.
These three questions are nearly impossible for any organization not in the cloud to answer at scale, as data and applications are likely to be siloed and unable to be queried without significant engineering effort. The advent of cloud APIs and a centralized control plane gives organizations the ability to quickly query and thereby monitor data flow at scale across a multicloud environment.
It’s equally unfair to expect any CISO new to an organization to be able to answer these questions. With an average tenure of 18 to 24 months, most CISOs could quite fairly be described as “new.” Their focus is more on simultaneously trying to invest strategically in new capabilities while reacting to the latest incident(s) than on unraveling years of technical debt and finding out where data that’s accumulated over the years came from or why they were collecting it in the first place.
“In this case, my concern was more that Twitter didn’t even know what it was collecting,” according to Mudge’s testimony.