As the value and volume of data continues to rise, the need to effectively assess and communicate data-related risks has never been greater. Business executives need a focused set of metrics that enable fast and effective decisions. IT and security pros often lack the right metrics, information, and approach needed to embed themselves into business conversations and positively affect data security practices.
DBTA recently held a webinar featuring Heidi Shey, Forrester Security & Risk Senior Analyst, and Daneil Goodes, IBM data security specialist, who discussed tools for data security metrics and how important briding the gap between business and security is.
According to Shey, Business risks include variety of sources that include information security, operational, financial, legal, reputational, and more.
Risk concerns reflect changing business priorities:
- Information security
- Data privacy
- Customer experience
In a recent survey with IBM, more than half the respondents have experienced a breach within the last 24 months, Shey said. Some respondents said that even though they may not have experienced a breach, they actually weren’t sure.
The consequences of a data breach are far reaching. It can affect the company in a plethora of ways such as additional security and audit requirements, executive or IT departures after event, regulatory fines, lost of customer trust, legal action, and drop in stock price, if public company.
She suggested enterprises begin using security metrics to measure risk. A metric must help decision maker select course of action and understand implications of choice, Shey said.
There are five capabilities that companies can invest in to determine risk:
- Dashboard w/ views of business risk and affected sensitive assets
- Near real-time risk and exposure information
- Analytics that assess type of risk, potential impact, affected assets
- Security response guidance commensurate with the information’s value
- Graphic illustrations of affected information assets and business processes
Goodes suggested the IBM method which includes the critical data protection program. The solution defines, discovers, baseline, secures, and monitors.
An archived on-demand replay of this webinar is available here.