Conversations in Risk-Based Security

Don’t be an information hoarder - A chat with Larry Newfield VP Systems, Engineering, and Compliance

Posted by Joseph Wilson on May 24, 2018 10:27:23 AM

What are the most important principles in information security?
Data Minimization and Frictionless Security. Data minimization is a real key. You can’t lose, nor hurt clients’ privacy if you are not maintaining things someone wants to steal. This also makes it easier to protect what data you do have. If you have fewer categories of data, it is easier to sort out what you need to protect to the highest level versus elements that are not quite as sensitive, or about clients. In thinking about data minimization, you must always be asking: Why was this sent to us? Why should we be storing it? Are there govt regulations that force me to store it for a minimum timeframe?

Customer data is required to create an initial transaction, but the data is rarely accessed again and should not be stored. It is that simple. Anything you must retain and re-use should be tokenized. Data minimization helps to drive down overhead. Additionally, because you are simplifying your data storage and protection, a natural consequence is your processes can improve and data retention if necessary can be reduced

You also mentioned Frictionless Security, what do you mean by that?
Along with driving down overhead, Frictionless Security reduces the resistance to security from your users, helps drive compliance with information security objectives, and eases acceptance.  End users often view security as slowing down the business and adding complexity.   The goal of Frictionless security is to enable the business to implement and operate securely while reducing overhead.  A recent example : we are in the process of deploying Hashicorp’s vault open source software (https://www.vaultproject.io/intro/).   Vault provides an easy to consume restful API for (among other things) encryption key management (protecting keys at rest, key rotation, key management, auditing, etc.)  Having this facility available to the development team reduces their workload on new applications while simultaneously enabling the creation of cryptographically secure solutions.  Frictionless security is a win-win. Often times a simple training or explanation on why the security objectives are necessary and the increased benefits to the organization and consumer can minimize the resistance and friction.

Can this help you win customers?
Leveraging these principles enables a firm to be a differentiator. If you offer a service which guarantees a better level of protection for your clients’ data, you will have competitive advantage. This may also allow you to offer your differentiators as paid services, generating additional revenue.  Added revenue, either through paid services or higher market share allows Information Security to monetize the security investment for senior management. That improves the odds of security budgets being approved. Maintaining the security budgets must be periodically justified, so the CISO must engage sales and marketing to add weight to the evidence that the investment in security is critical for success.

What else are you seeing now that impacts CISO’s?                                  
These elements have become very important, because of the growing number of breaches impacting the public’s data privacy, think Equifax and Anthem. Now every service RFP has a cyber security audit requirement; by a third-party auditor or the buying firm. This also impacts cloud providers, who previously treated users like parking deck patrons, “We are not responsible for theft nor damage to your vehicle.” Those days are gone. The cloud provider will also be held accountable for security. That doesn’t mean you can push your responsibility for security to the cloud provider. Best case, it might mean the both of you are sued for breach. You are responsible for protecting your client data, no matter where it resides. At the end of the day it is your name the consumer will remember and not the 3rd party provider.