Do you know what your company's data is worth? I'd like to think you do, otherwise, how can you appropriately allocate security resources to keep that data safe?
Chances are, however, you don't know. Otherwise, you wouldn't be spending as much on compliance as you are.
Compliance-driven security is being forced upon most of you, and it's an approach that's totally contrary to what you should be doing. If data is indeed king, why aren't you following a data-centric approach to security?
A recent RSA/Microsoft/Forrester Research report called "The Value of Corporate Secrets" tried its best to put a value on the data your company either produces--in the form of intellectual property or trade secrets--or collects from customers and partners. Their conclusion: Regulatory pressures force companies to spend close to half of their security budgets on compliance-driven security projects. The problem is that the report estimates that proprietary secrets are twice as valuable as custodial data.
From the report: "Secrets comprise 62% of the overall information portfolio's total value while compliance related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are overweighed toward compliance."
Now chances are, Forrester's valuations of data aren't totally accurate, but I think their point is well made and for the most part on course. Most custodial data losses are accidental; a backup tape falls off a truck, a spreadsheet is emailed somewhere it shouldn't have been, someone loses a USB stick, or leaves their smartphone in a cab. Even theft of credit card numbers and other personally identifiable information that could lead to identity theft, which are costly to companies in terms of breach notification mandates, aren't as damaging as the theft of pharmaceutical formulas or engineering blueprints would be. These represent a competitive advantage. Imagine the competition getting hold of financial forecasts, competitive analysis, proprietary research, source code, or other strategic documents; the longterm damage is unimaginable to the financial viability of your enterprise.
Yet, because of compliance, you're spending tens of thousands on security technologies that will satisfy a PCI QSA, or a Sarbanes auditor.
Hopefully that tide will change soon. The Chinese attacks against Google and other large technology companies, manufacturers and government contractors were different for one important reason: they were made public. The vast majority of such targeted attacks against companies or government agencies heavy in trade secrets and intellectual property are never reported. Google, however, changed that. Granted its agenda is more political than humanitarian, nonetheless, the effect is the same. Security's perception and awareness of targeted attacks against company secrets has changed and is out in the open.
Again, from the report: "Targeted zero-day attacks are routine, particularly against government agencies and in the aerospace and defense sectors. What is new is that we are now seeing headlines about it. [Google's] admission that it lost some of its secrets in the recent attack shows that securing trade secrets deserves just as much attention as [attacks on custodial data]."
Security management is quick to repeat the pablum that compliance does not equal security. Yet in the end this is nothing but lip service. Getting a certificate from the PCI Security Standards Council that you are in compliance with PCI DSS does not mean you're invulnerable to attack and data loss. Yet companies continue to invest in security only because of compliance, and in most cases, it's the best driver security management has with executives for budget requests. This paradigm has to change.
Trade secrets, intellectual property and military intelligence are much more valuable to a company's financials or to national security than credit card numbers and customer information. Organized criminals and enemy nation states are conducting espionage in order to steal that information.
You as a profession talk about prioritizing risks and spending accordingly. It's time to walk the walk, and not just talk the talk. Invest in protecting the data you value most.
Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on this column to firstname.lastname@example.org.