Cyber Risk Management Chronicles, Episode VIII
All too often, organizations forget that cybersecurity is not a technology, it is a strategy. Throughout the industry we see reliance placed on technical solutions without much thought given to fundamentals and risk-based decisioning. This is a recipe for failure.
Perhaps the most widespread mistake we see is the failure to understand how essential a role information governance (IG) plays in cybersecurity.
Simply put, IG is an organization’s technologies, policies, processes, controls, and strategies to optimize information to meet its business needs, as well as legal and industry regulations, while minimizing risks.
A pillar of IG is to know your data- what you have, what form it is in, where it resides, how it is used, and how it is destroyed. The reality of most organization is that over 50% (and in some cases 80%!) of their data is composed of redundant, obsolete, and trivial data (ROT).
Get Rid of ROT!
The beauty of getting rid of ROT- beyond significant saving that accrues in reduction of data your company holds- is that it greatly reduces your threat surface. The less data for bad actors to attack obviously means the less data you must defend.
Know Your Data!
Given the reality of limited budgets, cybersecurity programs cannot defend everything. Therefore, organizations must prioritize where to spend and what to defend. If an organization knows their data well, and the importance thereof, they can make risk-based decisions on how to defend it- spend less and defend better.
Bottom Line: effective IG leads to stronger cybersecurity.
Cybersecurity is more manageable, and thus more effective, when IG provides a clear understanding of your organization’s data- and gets rid of ROT as a regular part of data management.