Protecting Data Is Nonnegotiable Today—Does Your Team Have The Skills To Do It?
By Ameesh Divatia, CEO and co-founder | November 17, 2022
Not long ago, the security team was a subset of the IT department. Its main objective was to safeguard the IT infrastructure through perimeter protection, managing password changes and backing up data. But it is not that simple anymore. Organizations are moving a significant amount of their data to the cloud, where data analysis occurs. As a result, data is more valuable and mobile than ever, making its protection a top business priority.
Given the growing importance of data protection to business objectives, it is no surprise that the expertise organizations are looking for has changed drastically in recent years. In my experience working with CISOs and other security leaders, there are several prerequisite skill sets that they are seeking when expanding their staff.
It is safe to say that few recent developments have been more significant to businesses—and data protection in particular—than the move to the cloud. The pandemic certainly played a role in cloud adoption as organizations quickly shifted to remote-work environments.
Protecting cloud data requires a significant shift in mindset from achieving on-premises security because the potential attack surface is expanded to anywhere an employee may be storing, accessing or sharing data. By contrast, on-premises security relies on fortifying the database perimeter and protecting data that rarely leaves the database.
As a result of the shift to the cloud, organizations must have team members who understand best practices for securing data at the record level so that it is protected no matter who is using it, how they are using it or where it may be going. Security teams must also understand the details of the shared responsibility model, which relies on an agreement that specifies the security responsibilities of both the cloud provider and customer. Very often, providers are responsible for the security of the cloud infrastructure. In contrast, customers must protect the data inside the cloud.
Due to the shift from on-premises to the cloud, a company’s security team must thoroughly understand the organization’s information assets because security has moved from the structure level (database perimeter) to the record level (every document in the organization’s possession). Further, it is essential to know what kind of data exists in each record, such as personally identifiable information, Social Security numbers and credit card numbers. Additionally, classifying data and applying the appropriate security controls are necessary for today’s business environment.
Regulatory adherence is a top priority for many businesses. Data privacy laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have become more commonplace and stringent. Five states currently have privacy regulations on the books, and many more are considering similar legislation.
The results of a recent Enterprise Management Associates (EMA) study, sponsored by Baffle, found that 76% of organizations have significantly or completely revised security strategies based on compliance concerns and that 68% believe their regulatory compliance programs are a competitive differentiator. Although not every team member needs to be an expert in compliance trends, all must be familiar with the regulations their organization follows and work in a manner that helps maintain continuous compliance.
Supply Chain Risk Mitigation
Supply chains are enormous targets for cybercriminals, adept at exploiting such weaknesses as code containing vulnerabilities within open-source projects. Organizations should recruit team members with experience conducting audits and penetration testing to identify potential vulnerabilities. They should know how to perform cybersecurity protection updates and clearly understand where the code is coming from.
Data Analytics Skills
Thanks to the advent of analytics, data is a company’s most valuable nonhuman asset. Data analytics can help companies uncover valuable insights about improving their operations, determine what areas of the business are the most efficient and identify trends that help inform decisions and give organizations a competitive market advantage. Subsequently, data protection professionals must know how to protect data throughout its journey in the data analytics pipeline via techniques such as data masking, encryption and tokenization—all while not interrupting or slowing down data projects.
Incident Response Preparedness
At some point, every organization will experience an intentional or accidental data breach, and everyone on the IT team must understand their role in mitigating the damage. As with any emergency, time is of the essence, and understanding how and when to engage in incident response will help minimize the damage of data exposure. To that end, organizations must conduct consistent incident response training that evolves as new threats emerge.
Expanded Business Acumen
Security teams are no longer insulated groups because data protection is now a pressing business objective, and it has the full attention of the C-suite. The evolution of the CISO role—a position that requires an understanding of security and its impact on the business—reflects where security is going. Organizations must acquire or develop team members who can communicate and collaborate with various departments. These employees must understand the industry better than ever before and apply their knowledge to advance the organization’s goals.
Whether someone is new to the field or wishes to uplevel their knowledge and skills, one thing is clear: To stay ahead of the ever-evolving risks, security and data protection professionals must be ready to adjust to constant changes, remain apprised of the latest technologies and be continuously willing to improve and learn new skills.
This article originally appeared in Forbes.