As an investor, I’ve spent years talking to hundreds of entrepreneurs and dozens of practitioners attempting to solve the modern data security problem. Data in the modern enterprise is a double-edged sword: on one hand, modern enterprises need to derive value from ever-growing quantities of data. In today’s world, the most successful enterprises will be the enterprises in which all employees are equipped to efficiently leverage data to make data driven decisions. This requires high levels of data collaboration and expanding data access. On the other hand, expanded data collaboration and access leads to an expanded attack surface, increasing the enterprise risk posture and exposing the enterprise to cybersecurity threats.
The challenge is to find a balance of visibility, accessibility, and data controls. Traditionally, CISOs have been gatekeepers tasked with preventing the flow of data throughout the organization. CISOs use legacy tools designed for centralized, coarse-grained access controls that provide limited visibility across hybrid environments that are simply not built for the modern enterprise data needs. Without effective ways to see and collaborate on data, data is frequently shared via copies which cause data sprawl and shadow data, further reducing visibility and increasing risk and compounding the problem. For the 2023 CISO Survival Guide to Emerging Trends from the Startup Ecosystem (in partnership with Cisco Investments, NightDragon, and Team8), we spoke with practitioners and conducted a poll of over 100 security leaders to hone in on issues around identity, data and collaboration, software supply chain, and cloud security.
At the moment, we’ll focus on structured data objects (e.g. databases), and exclude file management, file management/sharing.
Visibility: A Blueprint for the Future of Data Security
In our CISO Survival Guide, Data Access Control was flagged as the second highest priority for security hygiene spending behind Data Identity and Privileged Access Management: CISOs report Data Identity and Privileged Access Management is one of their top security hygiene spending priorities. It’s no surprise that the first step in securing data in the modern enterprise is at the intersection of data and identity and the ability to answer these two questions:
- What groups/identities have access to what types of data?
- What groups/identities have accessed what types of data?
Symmetry Systems recently has developed an executive Data Security Scorecard that highlights different identity attributes vs. data store attributes, and enables CISOs and compliance teams to see and remediate over-privileged access to on-prem and cloud data stores.
Views like this are essential to developing sophisticated visibility into crown-jewel data across your hybrid environment. The ability to double-click into the details and see who has accessed what data and when is a powerful tool for compliance and post-breach investigations.
Modern Data Security: The Roadmap to Secure Data Collaboration
Enterprises need to start thinking on how they will improve data collaboration across data stores throughout the enterprises. Data security must simultaneously improve risk management and enhance usability. From my perspective, there are a few key concepts that need to be enabled to enable data collaboration:
- Federated data access controls: data owners to help manage access controls, erasing inefficiencies in centralized access management.
-
Fine-grained access controls: Access controls need to be contextualized and fine-grained, targeting data controls down to the row, column, and cell level.
-
Data co-production: People and systems need to be able to seamlessly collaborate on data sets, eliminating the need to copy (aka integrate) data across silos – in essence “productizing data” for joint co-production and collaboration using modern platforms – such as the data collaboration platform Cinchy.
While companies will have their unique journeys that require contextualized decision-making, I recommend companies approach collaboration at the line-of-business level, unlocking data collaboration in smaller segments of the enterprise that will lead to an exponential impact over time. Companies and security teams that cling to legacy data security and are too slow to adopt modern practices will fall behind. Agility, accessibility, and security are table stakes for enterprises of the future to leverage data and drive business.
