Unified data and governance, along with “agility” in the enterprise are standards most security practitioners would embrace. But how difficult are they to attain? And how does each discipline incorporate “multidimensional” thinking?
On the July 2, 2018 episode of “Task Force 7 Radio,” KPMG Director, Cyber Security Strategy and Governance, Richard Kessler, spoke with host George Rettas about these pressing topics. Much of the work in surpassing these marks, Kessler said, involves interdepartmental communication and cultivating relationships inside the organization – including other technology branches.
In joining Rettas, Kessler said that much of his focus is on the various disciplines – from data governance to security and privacy.
The “TF7 Radio” guest described the unified data and information governance structure as “looking at data from a number of different angles.”
He said: “In today’s world, (professionals) look at these things holistically, in their relationship with one another. How can you manage them well, to achieve (results) for the clients, customers and organizations you serve?”
Kessler admitted that with “data everywhere,” success on the privacy, governance and security fronts comes in “optimizing change management,” and ensuring these topics are embedded “by design,” and in the secure software development life cycle (SSDLC).
Life Cycle
The “TF7 Radio” guest also said that optimal data security comes in understanding the wider data life cycle. “You need to look at what the data is being used for, and match it up with the consent that’s been provided,” he said.
He took a moment to outline the data life cycle – including deletion when it’s no longer required for business purposes. In the event of a breach, Kessler added, you need to know where the data is and where it could have been compromised.
See Related: CSO Talks Pyramid-Shaped Risk Framework, Cyber 'Agility'
By managing the life cycle to the end, and removing data when able, “you’ve reduced the threat landscape.” To do these steps effectively, however, it requires an interdisciplinary approach.
‘It’s About People’
Governance may be about creating visibility and transparency in many areas throughout the business. In Kessler’s view, however, “at the end of the day, it’s about people.”
He said professionals must be educated about what’s going on around them and know subject matter experts in the firm who are covering areas they might not be totally comfortable with.
Kessler advocated “an alignment” with these people, to collaborate and inform better decision making. In mature organizations, that process is integrated, so the decision making is a combined view across disciplines.
‘X By Design’
Time management is also instrumental to this conversation, especially as the space moves so fast and, in some cases, budgets stay flat.
“Staying on top of different security providers, capabilities, tools and platforms is an incredible challenge,” Kessler said. “(A) more important use of time for a security professional (may be) to talk to those different folks that they work with. And not only the ones protecting the information, but who are driving innovation, working on digital transformation, improving the client experience and employing intelligent automation…”
The relationship building with domain experts ultimately spurs organizational growth and establishes key relationships for the aforementioned integration. This helps “security by design,” and with what Kessler calls “X by design.”
Checklist
Before the release of a key product or initiative, Kessler said that a short checklist should be established that outlines “what we need to worry about before we put a great idea out, or before it’s industrialized.”
See Related: 'Tone From The Top': Cyber Security & Digital Transformation
That “skinny checklist,” organized correctly, won’t stop innovation, but it will help prevent flaws before something is released into the wild. Kessler said if it creates a perpetually growing data source, the checklist will essentially be a prerequisite
Buy-In From Above
The “TF7 Radio” guest continued, saying that assuming security has a “seat at the table,” communication with the board or C-Suite is an “opportunity to leverage strengths” which can expand security by design.
However, he also said the picture is a bit bigger. The KPMG director suggested CISOs and the like emphasize the importance of where data resides, and outline the data life cycle which underscores wider risks. This trickles into data management, privacy regulations, and more.
“We can create an agile enterprise by focusing on what we’re supposed to do really well, so that we can do what we want to do (even) better and more effectively,” Kessler opined.
'Multidimensional Thinking'
One key point from Kessler’s discussion with Rettas was the concept of “multidimensional thinking.” In a security context, that could mean having the humility to admit to the board that security should be communicating with other areas of technology, or working on governance and data quality, or records management.
Another key area for security to consider: investigative retrieval. Kessler said it is crucial – for purposes of e-discovery, litigation or regulatory investigation – that organizations be able to get data out fast. Even if it’s encrypted, the data must be accessible, en masse, within a certain timeframe.
Details such as this help “mature a CISO’s view,” Kessler said.
Career Paths
Grasping these many disciplines also helps CISOs become better executives. Kessler even said that depending on strengths and relationships, etc., these professionals could be on a fast track to the Chief Risk Officer (CRO) role, or Chief Data Officer (CDO), or even Chief Operating Officer (COO) and Chief Executive Officer (CEO).
Does that mean today’s security professional must be a generalist, though?
Kessler said that’s not necessarily the case. “We’ll always need folks who are experts in a particular thing,” he said. “And putting things together – transparency, clarity, vision, investment, governance – will (also) be a vital skillset.”
He said the “expert generalist will be incredibly important in the future,” and will be enabled by a governance structure, relationships and collective knowledge. Yet, enterprises will still need subject matter experts to “dig into the details.”
These tips, tools and structures ultimately lead to an “agile” organization with an impressive security posture and an informed CISO.
The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes of "Task Force 7 Radio," click here.
Be sure to connect with Kessler, here.
Be Sure To Check Out: 'No Security Through Obscurity': The Link Between Privacy & Visibility