Defending Data

Our industry is prone to adopting highly colorful – even whimsical – language to describe a number of very serious threats to our identities and our private information. From the domain of e-mail, of course, we have spam and phishing – and ever-evolving variants such as puddle phishing (targeting smaller, regional financial institutions and credit unions) and spear phishing (targeting specific individuals). If her personal computer is connected to the internet, even your Mom is probably well aware of viruses – but perhaps not quite so well aware of worms, Trojans, key loggers, zombies and bots. In the corporate world, meanwhile, security professionals are increasingly concerned about data protection issues such as pod-slurping (unauthorized copying of corporate data to iPods, which are essentially high-capacity disk drives), and thumbsucking (unauthorized copying of corporate data to high-capacity USB thumb drives).

The situation is reminiscent to me of the classic George Carlin comedy routine that compared the folksy, non-threatening language of baseball (ballpark, safe, home) to the more aggressive, war-based language of football (gridiron, aerial assault, blitz, bombs, ground attack). As Carlin humorously noted: “Baseball is a 19th century pastoral game; football is a 20th century technological struggle.” With respect to defending our data, perhaps our industry could actually benefit from taking the linguistic perspective of a 21st century technological struggle as we talk about these critical information security issues.

Over the past few months, Aberdeen Group’s research in the area of IT security has touched repeatedly on the important topic of protecting sensitive data:

May: In our report on Thwarting Data Loss, we saw that best-in-class organizations are set apart in their use of data loss prevention solutions, their emphasis on training users on appropriate data use, and their alignment with compliance initiatives. While virtually all organizations are concerned about data loss, best-in-class companies are making better headway in their efforts to stop it – protecting their data from both external and insider threats, and lowering the number of data loss incidents. Of particular interest was the finding that companies that make the attainment of regulatory compliance a key strategy report more success in actually protecting their data.

June: Our report on Protecting Cardholder Data focused on the degree to which best-in-class organizations are addressing the 12 high-level security requirements of the PCI Data Security Standard. The research shows that 86 percent of best-in-class companies have achieved a high level of current performance. We were also very pleased to find that best-in-class organizations tend to view PCI DSS as an opportunity, not as merely an obligation. More than two out of three view PCI DSS as the best available framework to guide their implementations. In addition, about half see an opportunity to leverage cardholder data security achieved through PCI DSS compliance to drive better protection of other sensitive business data, and to address compliance with other standards and regulations.

July: Our report on The Ins and Outs of E-Mail Vulnerability showed that best-in-class companies were able to decrease the loss of productivity attributable to e-mail, the cost associated with the remediation of e-mail attacks, and the number of malware infections and data loss incidents attributable to e-mail. Best-in-class companies are integrating their e-mail and web security, using encryption to protect e-mail in transit, and deploying data loss prevention software to prevent sensitive data from leaking through e-mail. They monitor, track, report threats and losses and in general have greater visibility across the organization’s resources, managing threats on desktops, laptops, servers and networks.

August: Our most recent research on Encryption & Key Management revealed a sharp increase in the use of encryption to protect sensitive data – and a correspondingly sharp increase in the number of encryption keys under management. The latter is causing best-in-class organizations to seek more consistent, automated and cost-effective ways to manage the encryption keys that provide the foundation for this higher level of data protection. Today, the most prevalent approach for all companies is the tactical deployment of point solutions for encryption where specific needs exist. Best-in-class organizations, however, are beginning to adopt a more strategic, top-down approach to encryption and key management – which helps them to lower operational costs, support higher scale, reduce risk, maintain consistent security policies and achieve regulatory compliance.

Going forward, my research agenda will continue to include topics related to the protection of sensitive data, as part of Aberdeen Group’s mission to educate organizations with the facts they need to act on business and technology decisions.

In the end, while our industry might benefit from using less whimisical language to describe these critical data security issues, perhaps the objective of the game we’re all in together is similar after all to the way George Carlin described baseball: “The object is to go home! And to be safe! I hope I'll be safe at home!”