Security driven by compliance, rather than protection

A new survey from Forrester shows that security is too focused on compliance and not enough on protecting valuable corporate secrets and custodial data.

Dave Rosenberg Co-founder, MuleSource
Dave Rosenberg has more than 15 years of technology and marketing experience that spans from Bell Labs to startup IPOs to open-source and cloud software companies. He is CEO and founder of Nodeable, co-founder of MuleSoft, and managing director for Hardy Way. He is an adviser to DataStax, IT Database, and Puppet Labs.
Dave Rosenberg
2 min read

A new report by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, security programs are focused on compliance rather than data protection.

The report highlights a number of key findings, that provide a number of things to think about if you are remotely involved in the security of corporate data:

  • Secrets comprise two-thirds of the value of firms' information portfolios
  • Compliance, not security, drives security budgets
  • Firms focus on preventing accidents, but theft is where the money is
  • The more valuable a firm's information, the more incidents it will have
  • CISOs do not know how effective their security controls actually are

According to Forrester, corporate security programs are typically divided into two main categories of data types to protect: secrets and custodial data.

Secrets--that can confer long-term competitive advantage such as product plans, earnings forecasts, and trade secrets.

Secrets refer to information that the enterprise creates and wishes to keep under wraps. Secrets tend to be messily and abstractly described in Word documents, embedded in presentations, and enshrined in application-specific formats like CAD.

Custodial data--which includes customer, medical, and payment card information that becomes "toxic" when spilled or stolen.

Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost, or stolen, it changes state. Data that is ordinarily benign transforms into something harmful. When custodial data is spilled, it becomes "toxic" and poisons the enterprise's air in terms of press headlines, fines, and customer complaints. Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data also accrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity.

Forrester notes that while toxic data spills are both dramatic and expensive, secrets are actually much more valuable and are an "underappreciated and underprotected information asset."

Forrester on behalf of Microsoft and RSA

One of the big takeaways from the report is the fact that compliance rather actual protection is what drives both budgets and decision making about security. And, considering that firms with higher value assets (secrets) were more likely to have cross-company links with other firms through a variety of applications (as well as networks) there are dramatically more possibilities for data security breaches to occur.

To the extent that security issues can be negated, Forrester recommends that IT executives take three immediate steps:

  1. Identify the most valuable information assets in your portfolio
  2. Create a "risk register" of data security risks
  3. Assess your program's balance between compliance and protecting secrets

The more valuable the data, the higher the risk, but the main point here is that enterprises need to focus on protection first, compliance second. If you don't protect your data, there won't be any business left for you to worry about compliance.