Forrester's advice for data governance maturity model successDate: Oct 19, 2010
To successfully protect sensitive data, enterprises should not only follow a standardized set of guidelines to ensure they are capable of protecting data, says Forrester Research Senior Analyst Andrew Jaquith, but also to demonstrate their ability to protect that data to assessors, partners and others.
In this interview at the recent Forrester Security Forum 2010, Jaquith discusses Forrester's data governance maturity model, which serves as a benchmark for organizations looking to asses their data protection programs. He also explains how to assign responsibility for social network data, and tells why mobile device security has become the No. 1 data protection worry for many enterprises.
Read the full transcript from this video below:
Please note the full transcript is for reference only and may include errors. To report an error, contact email@example.com.
Forrester's advice for data governance maturity model success
Eric Parizo: Andrew Jaquith, senior analyst for Forrester
Research. Thanks for
joining us today.
Andrew Jaquith: Thanks for having me, Eric.
Eric Parizo: Let's talk about the maturity model for data security. A key mantra
for Forrester's philosophy is never to prescribe technologies to treat
symptoms if you will, when it comes to protecting sensitive data. Why is
Andrew Jaquith: Well, that's a fabulous formulation. I wish I'd thought of it. But
I think that's right. I mean the context here in most enterprises is you're
responding to problems du jour. So you read and the newspapers and the
trade press, no offense to current company or anything, tends to focus on
things that are high profile. So social security administration guy left a
laptop in a van, got picked up by thieves, and that has caused them to
reform how they managed data security and all of a sudden full disk
encryption showed up on the requisition sheets of all federal agencies. And
soon thereafter on Fortune 500 priority lists all over. So, not to pick on
full disk encryption, very valuable, but one of those situations where a
symptom became correlated with an answer. And this is very endemic. What we
try to do at Forrester, is we try to look at this from a more strategic
approach. So start with the simple question of how are you organized?
What's your strategy going to be, about how you manage information? We ask
companies to take cues from their executives. Do you value the information
in your firm or not? Most companies intuitively know whether they're trying
to do the bare minimum, so that they won't be embarrassed in the press.
You've got some that are really paranoid about the publicity. You've got
others that genuinely care about the security of their competitive
information and their product plans.
So in those cases, that's where you start. You start with a strategy. You
then need to think about what people aspects do you need to tackle as part
of your information control programs? So how you organize? Do you devolve
responsibilities to your business units and your functions? Do you keep it
highly centralized? What kind of training do you need to have in place?
What other kinds of structural questions do you need to answer about how you
protect your information? So that's the second part. Process is about how
you get things done. What are the things that you need to be good at as an
organization, in order to be successful with securing information? So, for
example, the nuts and bolts around forensics and investigations, that's a
key competency. Classifying information is another. Providing ways of
understanding, getting visibility information flowing around your network.
Labeling, these are all part of what your processes ought to be. And then
finally, what's the technology that falls out of that? This is really where
you can start to make billed by lease partner type decisions whether you
really need data leak prevention or full disk encryption or email
encryption. I can go on and on and on. But once you know how you organize,
what you value, what your strategy is, you know what your organizational
people values are, how you're governed, how you're organized, what
processes you have in place. Then you can finally get to the technology
parts, and that's the order we recommend. And I'll be talking about this in
more detail tomorrow morning.
Eric Parizo: Many organizations though do already have some of those components
in place as part of their existing data security programs. How do you
advise organizations to gauge the health of those initiatives currently?
Andrew Jaquith: What I've described to you just a second ago, about the four basic
components. So there's strategy, people, process, and technology. Every one
of those areas has some key qualities that we like to see in enterprises,
and what we recommend that you do is self-assess if you like. You can
certainly talk to us. We're happy to help assess as well. Not to be too
self-serving here. But we have a model for grading you on a one to five
scale, or self-grading if you like, on all the dimensions of the model. Once
you get that you have a sense of where you sit. Frankly, most enterprises
don't want to be great at everything. One of the things that I hear all the
time when I talk to enterprise customers is, "we want to know how we're
doing relative to our peers around protecting our information." That's the
first thing they say. Then the second thing they say is "and we're not a
bank." Unless they are a bank in which case they want to say "what's these
other banks doing?" But for the most part, what that really gets to is
calibrate your measurements relative to where I ought to be for the type of
firm that I am. So if you're on a five scale for strategy and we're
measuring you across all those dimensions, you might not need to be a five
in all those categories. You might find that a three along the maturity
curve is fine. So ultimately it's finding that gap between where you are
today, versus where you want to be. And that's what looking at this from a
maturity model standpoint says. What it means is not one size fits all.
That you can adjust to the assessment based on your taste, your priorities,
and the industry that you're in.
Eric Parizo: Those elements you mentioned are what Forrester calls its
capabilities and maturity model, correct?
Andrew Jaquith: That's right. Yep. We've patterned it after, at least the
information control portion of it which I'm referring to here, is a subset
of the Forrester Information and Security Maturity model, which has 28
different domains and the information control is a subset of it. But it is
exactly that. It is trying to provide a holistic way of looking at the
problem and looking at it from an information-centric point of view.
Eric Parizo: Based on your experience with those themes in mind, what are the
organizational and process changes companies most often need to make to be
Andrew Jaquith: Really great question. I'll tell you, one of the toughest things
for enterprises is to understand their own limitations. This model I call
information control. But part of exercising control over your information
is knowing when not to be a control freak. And this is a hard thing to get
over for many enterprises. Because you have the information security
department right in the title, you would think that they're in charge of
securing all the firm's information. Otherwise why isn't it called
infrastructure security, right? But the truth though is that information
that matters to the business is usually only known by the business. The IT
teams don't really know what's valuable and what isn't. They know things
that are radioactive. So SSNs should not obviously be floating around in
email. Huge spreadsheets with medical records should not be sitting on
laptops at home, by an employee when they take it home to work. We know
this, right. So IT security has a responsibility for purifying their
information streams and keeping the stuff that is clearly toxic out.
But when you get to issues of strategic intent, company secrets, trade
information, this isn't something that security actually knows much about
because it's not their business. So the key change that enterprises need to
get over is to devolve. And from the standpoint of the IT security group, it
means letting go of control, letting go of that aspect of it, giving the
business units the tools that allow them to enforce their own
compartmentalization needs, and really that's it. And allowing the business
units to manage their security and their own information, in the same way
that your boss manages your objectives for whether you're promoting. The
way that they manage your salary, this is all part of whether you're
running a tight ship managerially or not. So that's the biggest hurdle to
get over is recognizing that there are elements of information security
that only the business can know and that is best of all to the business.
Eric Parizo: Again, to play devil's advocate with you for a minute, another large
research firm who we won't mention, makes a similar point but does so with
this specific to social networking data. But the other side of the coin is,
is the security team going to be called on the carpet if sensitive product
launch data, for instance, leaks out via Twitter or Facebook, what have you.
How does the security team handle that and is some internal evangelism
required to kind of convey the message you mentioned?
Andrew Jaquith: So it's a great question. What does security do and what's their
role here? In my view, the role is to be the standards setter, the provider
of tools, assist with evaluations, a center of excellence on deployment and
best practices. But ultimately, and maybe operations from the standpoint of
making sure that it's up, it's running, it's functioning, that it scales
the way it should and all of that. But from a day to day business
operations standpoint, they can't do that. I mean it's just not part of what
they do. IT isn't meant to be sensors, nannies. Ultimately, you want to give
the business the tools where they can get the information about what their
employees are up to, but ultimately, they need to make disciplinary decisions
or other decisions about whether those privileges are being abused or not.
I think to me this part of what management is as opposed to blaming
somebody else for your own failings. If something leaks out over Twitter, a
product launch leaks out over Twitter, it isn't IT security's fault. It's
the employee's fault. And the reason that they did it is probably known
between them and their manager. If they're leaking out on Twitter, there's
bigger issues and their boss probably ought to have known what they were
before that. To me, it's more a symptom of a management issue than a
technology failing. IT security can certainly buy a tool that will block
access to Twitter, but if it's needed from a business standpoint, then what
else are you going to do at the end of the day, about some of these very
business specific items? Leaving things like SSNs and obviously toxic stuff
out, but the real trade secret stuff really hard and I think ultimately you
have to treat it as a management problem.
Eric Parizo: Finally, in the context of your work with enterprises -- right now
would you say is the number one trouble spot that enterprises often have
when it comes to protecting their own data?
Andrew Jaquith: I'm not sure I'd call it a flashpoint so much as a point of worry.
We get a lot of requests around some of these mobile devices, and what do
we do. And to me that's the biggest worry right now. What do I need to do
to secure them? What's coming down the pipe? Are these devices going to be
secure over the longer term? Enterprises have a lot of questions, and it's
because these devices are so personal. They're often purchased by
employees, and because device ownership is a proxy for control, the
prospect of not owning the device raises very unsettling questions about
whether that also means that they're going to lose control as well. So I
think this is one of the big battle lines right now. Some security teams
have very legitimate fears, about data security risks on employee-owned
devices, or even consumer-grade devices that are being bought by the
enterprise. And those that really just sort of figure, well it's going to
happen anyway, I need to be able to say yes to those employees that are
going to do it. I think this is the big divide right now, and I don't think
we've settled on an answer. But it's been interesting as I talk to clients
about, you know you can usually put them in one bucket or the other. You
clearly sense whether they're of the enabler variety, I mean enabling in
sort of an AA sense, in some regards, versus those that are more kind of stickler and want
it to happen. So that's what I would say the biggest flashpoint is right
Eric Parizo: Alright Andrew Jaquith, with Forrester's Research. Thank you very
Andrew Jaquith: Eric, it's been my pleasure. Thanks.