QOTD on Data Security for CISOs

An excellent article on CSO Online written by Andrew Jaquith for on where CISOs should focus their efforts at securing data.
Instead of trying fruitlessly to be the enterprise's all-knowing content guardian, censor authority, and compliance guru, the CISO devolves responsibility of these activities to the business. IT security becomes a clearinghouse for data security tools that business groups can use as they see fit.
As well as:
Responsibility for classifying information and restricting its flow is ultimately a business challenge, not a technical challenge. How documents, spreadsheets, and emails are used depends on workgroup and business unit preferences. So it is with data security.

That means that inside counsel owns email eDiscovery and retention, product engineering owns CAD drawings, and finance owns accounts and earnings projections. These groups know who should and should not have access and what should happen if their assets are misused. IT security's primary role should be to help source, design, and install the technical controls in place that will enable them to express and enforce their compartmentalization needs—not to be the gatekeeper.
Src: Data Security: Whose Job Is It Really? | CSO Online

No comments: