Data governance is essential to cyber security

January 6, 2020

Cyber security is getting a lot of publicity in recent years. Ever-more sophisticated cyberattacks involving malware, cross-site scripting, denial of service and other attacks have placed organisations big and small at constant risk. Even unsophisticated attacks like phishing have continued to advance and evolve over the past few years, and cause organisations problems on a daily basis. In January 2019, Australia’s Parliament House was compromised by one simple click of a mouse and punched a digital hole in what should have been one of the country’s most secure Information Technology (IT) systems.[i]

As concerns about cyber threats have grown, businesses are making greater investments in developing business continuity plans in the event of a cyber-attack and purchasing cyber insurance policies. Worldwide spending on cyber security is forecasted to reach $133.7 billion in 2022[ii].

An increasing number of organisations have invested in incident response capabilities. Organisations have a number of individuals dedicated to analysing traffic flows and monitoring for cyber-attacks. These types of roles have proven to be effective in many situations, as it can minimise downtime, increase customer trust, consequently yielding financial advantages. They are often intimately involved with IT application and infrastructure teams to inform the type of security controls necessary to keep the organisation safe from cyber threats.

In recent years, we have seen a shift in security investments from threat prevention to threat detection. This requires an investment in security operations centres (SOCs) as the complexity and frequency of security alerts grow. According to Gartner, by 2022, 50 percent of all SOCs will transform into modern SOCs with integrated incident response, threat intelligence and threat-hunting capabilities, up from less than 10 percent in 2015.[iii]

But in many organisations, there are still some fundamental questions unanswered. Questions such as:

 

Understanding cyber security

To answer these questions, it is important to understand what cyber security is. Cyber security refers to a set of techniques used to protect the integrity of an organisation’s security architecture and safeguard its data against attack, damage or unauthorised access.[iv] At its core, cyber security involves protecting data from cyber threats.

Data is a valuable resource. According to The Economist, the world’s most valuable resource is no longer oil, but data[v]. Therefore, it would only make sense that the minimum security requirements are informed by the type of data that needs to be protected. That determination is commonly made by performing a risk assessment and looking at the confidentiality, integrity and availability, also known as the CIA triad. The CIA triad considerations are outlined below.

 

Accountability for data

What happens more often than not, is that an organisation’s IT department, responsible for the management and maintenance of information systems, are also expected to determine the above CIA criteria specific to data and to implement what they deem to be appropriate safeguards.
This is often a sign that the roles and responsibilities for data within an organisation are not well understood. In most circumstances, the business subject matter experts are in a better position to answer the questions in relation to the confidentiality, integrity and availability requirements for the data.

Data governance can help with this. Clearly defined decision rights across an organisation is a key enabler of good data governance to support efficient decision making regarding the management of data through its lifecycle. Data governance roles and responsibilities exist to champion the vision for data management, build a data aware culture and ensure the right data is leveraged to achieve value across the organisation. The recommended governance roles and responsibilities crucial to the overall collection, management and use of data are listed below.

 

Five knows of cyber security

Both data security and data governance share one common objective; protecting the organisation’s data. Data governance is a fundamental part of security. It ensures that the right people have the right access, whilst data security makes sure that enterprise data is safeguarded.

The ‘five knows of cyber security’[vi], developed by former Chief Security Officer; Mike Burgess from Telstra, addresses five key questions that each organisation should be able to answer in relation to its data.

  1. Do you know the value of your data?
  2. Do you know who has access to your data?
  3. Do you know where your data is located?
  4. Do you know who is protecting your data?
  5. Do you know how well your data is protected?

The questions above highlight the fact that data is central to cyber security. Data governance enables an organisation to answer these questions and therefore becomes central to effective cyber security controls.

The five knows of cyber security represents a significant shift in focus – from a technology discussion to one where senior management can engage in and contribute to the effective management of cyber security risk.

Although less about cyber security and more about data governance, The University of Queensland (UQ) has added one additional question to the list above as part of their Enterprise Data Governance Program. They included; ‘Do you know the quality of your data?’ This relates to data integrity, but is not always a security related concern.

Information security classification

Based on the confidentiality, integrity and availability requirements, a better understanding can be gained on the sensitivity and risk associated with a dataset. Based on that understanding, an information security classification can be assigned.

For instance:

Understanding the information security classification of an organisation’s datasets is critical to informing cyber security controls. Controls can be categorised in a number of ways. For example, for sensitive datasets the following security controls might apply:

Data Stewards are the subject matter experts when it comes to the data and the associated values and risks. They have a better understanding of who should have access to the data (confidentiality), understand risks of data not being accurate (integrity) and any impact associated with the data not being available (availability).

Although it is sensible that Information Technology Service Providers provide input to security controls, it should ultimately be Data Custodians and/or Data Steward who make the final decision. Some notable reasons for this include that security controls come with an associated cost and may impact user experience. The business must ultimately own the decision to accept or mitigate business risk and decide how much it wants to invest in protecting its datasets.

Conclusion

Data governance is essential to cyber security. In order to protect against threats, organisations need to know what data to protect and how best to protect it. Data governance allows an organisation to identify its high value, high-risk datasets and allocate additional resources to protecting the data if necessary.

 

Note: This article was written to highlight the relationship between data governance and cyber security. The article has left out some other important aspects of data governance such as policies, metadata, master data, data literacy etc.

 

[i] https://www.abc.net.au/news/2019-11-15/cyber-attack-thwarted-on-parliament-house/11706444

[ii] https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019

[iii] https://www.gartner.com/en/newsroom/press-releases/2019-03-05-gartner-identifies-the-top-seven-security-and-risk-ma

[iv] https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-security

[v] https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data

[vi] https://www.telstra.com.au/content/dam/tcom/business-enterprise/security-services/pdf/5-knows-of-cyber-security.pdf