Data is the currency of the knowledge economy. This makes it a highly valuable commodity – for organizations and cybercriminals alike. As threats to data security mount, organizations must find ways to keep their critical digital assets safe at all touch points and compliant to international data protection regulations that vary by country.
A tall order, to be sure. Yet protecting data is a mandate in today’s global economy. With customers all over the world, organizations need to be able to demonstrate transparently how they are protecting data and ensuring privacy to earn the trust of their customers, users, partners and employees. This year at CiscoLive Berlin, I shared how Cisco protects its sensitive data through a data protection program that emphasizes trust and compliance with the law. It’s my hope that the information will be brought home and used by attendees in their own organizations.
First and foremost, you need to build a multidisciplinary team. For data protection practices to be adopted, it’s critical they seamlessly align with the operations of your organization. The right people need to be at the table to understand how to do that most effectively. Privacy and Security teams need to lead the way together, but also need to bring in expertise and diverse perspectives from other teams.
Second, you need to inventory your data. You can’t protect what you don’t know that you have. Begin with a high-level exploration and work your way towards a more detailed data landscape, in all cases seeking to understand what you have, where it is stored, who has access to it and from where, and how that data moves around your organization.
In parallel, choose a data protection program framework to use as the foundation for your program. There are many excellent options from which to choose. You don’t need to start from scratch, but you do need to adapt the framework to your organization’s culture and operational practices. Cisco’s program includes:
- Policies and Standards
- Identification and Classification
- Data Risk and Organizational Maturity
- Incident Response
- Oversight and Enforcement
- Privacy and Security by Design
- Awareness and Education
With your framework established, you can gather best practices from across your organization that deliver on core framework elements, adapting only as necessary for scale.
Next, assess your organizational and data-centric risk. Cisco leverages a data protection maturity model to keep tabs on the maturity of our processes and our progress towards where we want them to be. We also look at each data set and the opportunities it offers and the threats it faces across the organization and the ecosystem. Use the results of this risk assessment to focus your efforts. Start by taking action in the areas of greatest impact – positive or negative.
Finally, plan to iterate. Given the dynamic nature of the political and technology landscapes, you need to be agile. Begin with a minimum viable program and rapidly add sophistication over time.
Cisco’s Data Protection Program (DPP) allows us to focus and respond effectively in an incredibly complex and dynamic environment by taking a collaborative, risk-based approach to data protection. I am looking forward to seeing you at RSA at the end of the month!