This week I’m attending the ISACA-Institute of Internal Auditors GRC Conference in Las Vegas. As one might imagine, data security is all over the agenda, so I’ve been taking notes for those audit and compliance executives back home looking for suggestions on how to make your GRC efforts better.
For starters I attended a fascinating session calling for a more expansive view of data security. The speaker was Terry Ray, chief technology officer of Imperva, a data security platform. He began by noting that most companies obsess over the security of private or confidential data: names, addresses, dates of birth, health records, and so forth. That’s all well and good, Ray said, but shouldn’t we also consider the security and compliance risks lurking in non-private data?
Ray gave the example of a prison sentencing record stored in a state corrections department. Perhaps that record says John Doe is facing an eight-year prison term. Doe’s friend then offers a Department of Corrections employee $250,000 to log into the IT system and change the sentence to a two-year term.
From an IT perspective, all that’s happening is a user is changing one digit in one system, from an “8” to a “2.” The number itself isn’t confidential; prison sentences are part of public court filings. Still, the security of that number is important, because the number can create corruption risk. Therefore needs to be protected.
Except, think about what that really means. If we’re going to protect a piece of data throughout its entire existence — from the moment John Doe is sentenced to eight years, until the day he leaves prison eight years later — we’re not really talking about data protection; we’re talking about process integrity. The process of tracking inmates’ prison sentences must be free from unauthorized changes.
Well, in that case, who within the enterprise is in charge of process integrity? Because if it’s the CISO, then he or she is responsible for designing business processes. I bet plenty of business unit leaders would have something to say about that notion.
From Data Security to Process Integrity
I agree with Ray’s thesis that non-private data can pose just as much risk for a corporation as private data, even if the risk comes in different forms. I’m just not sure everyone grasps the implications of that point. Namely, if we adopt a “protect it all” approach to data security, that transforms how data security works — and auditors would need to be crystal clear about that as you perform risk assessments and go about all the other business of assessing cybersecurity.
A good metaphor here might be to imagine a person (the piece of data) going through a tunnel (the business process). If the tunnel is crumbling and full of holes thanks to poor design, you can protect the person by making him wear a helmet or hold onto a guide rope. Or you could design a better tunnel in the first place, so that it protects anyone going through the tunnel.
That is, you can’t solve all your cybersecurity risks by bolting an encryption algorithm onto your confidential data, or by adding multi-factor authentication to user log-in screens. You need to take a more sweeping “integrity-by-design” approach to developing your business processes overall.
Go back to our example of John Doe sitting in prison. To fend off the risk of someone bribing a corrections supervisor to alter his record, the wise approach would be to focus on approvals necessary to change the prison sentence. Which users can actually change the record from an 8 to a 2? Who first needs to counter-sign that change? How do you collect and confirm that approval?
Questions like that are important to guarantee process integrity. They can also take internal audit and the CISO to some unexpected places in IT strategy. For example, it’s no secret that application development is full of security holes; include the additional dimension of how different apps interact with each other, and suddenly security risks are everywhere.
You could address that by implementing a data security platform, which is a technology that protects all data across your enterprise at all times. Terry Ray’s company, Imperva, offers just such a platform, so of course he believes that’s a fantastic idea. I don’t know Imperva from a hole in the wall, but Ray’s commercial interests aside, he’s not wrong to float the idea as one possible solution.
I’m more interested in the control environment and strategic questions here. For example, do you revamp your software development processes and force software engineers to take an integrity-by-design approach? Do you reduce your reliance on cloud-based providers because you don’t know their process integrity? Do re-scope your SOC 2 audits of third parties, to make process integrity a greater priority?
My point is that any piece of data can, under the right circumstances, pose a risk to your organization. But if we want to take a “protect it all” approach, then we’re really protecting process integrity, and data security just comes along for the ride. Internal auditors need to appreciate all that shift in focus entails, and then brace yourself for a long, strange trip.