The biggest challenge faced by organisation's in today's environment is protecting their Data. We have seen in recent times numerous successful attacks happening across various industries to steal or leak the data. Some of the know data breaches includes :
- Sony Pictures : PII, PHI, unreleased films, company e-mails
- EBay : Encrypted passwords, customer names, e-mail addresses, mailing addresses, phone numbers, dates of birth
- Target : Credit and debit cards, customer details
The above breaches indicates that size and sector don't matter to attackers. All organizations are vulnerable to attacks, and the consequences can derail companies and their leaders' careers.
A typical approach of organisations to protect data is to implement point solutions to address the issues which are identified during an audit exercise or post identification of an incident. These point solutions provide solutions to specific issue in consideration, leaving aside the holistic picture or need to look at data security from an organisation wide perspective.
One of the key success factors to ensure an effective and efficient approach to securing data is to understand the maturity of data security within the organisation. This can be done by assessing the current maturity at different levels of People, Process and Technology and identifying as-is and target state to be achieved.
A simple 5 point approach to can be adopted to address data security:
- Access the current level of maturity with respect to People, Process and Technology.
- Understand and Identify the requirements to reach the next level of maturity.
- Identify the improvements & respective initiatives required to achieve the next level of maturity.
- Prioritise & implement the initiatives to be implemented to reach the to-be sate.
- Track, monitor and evaluate the initiatives on agreed parameters e.g. timeline, budget, benefits achieved, risk reduction, control effectiveness, etc.
The three key benefits of using a Data Security Maturity Model are:
- The organisation gets a detailed view of where does it stand it terms of the data security capabilities at the key aspects of People, Process and Technology.
- It can identify the target state which it wants to achieve based on the risks, resources available and organisation's objective.
- It acts as a benchmark to assess the current state and plan future state to keep improving data security capabilities with the organisation.