How Mature is Your Data Security?

The biggest challenge faced by organisation's in today's environment is protecting their Data. We have seen in recent times numerous successful attacks happening across various industries to steal or leak the data. Some of the know data breaches includes :

  • Sony Pictures : PII, PHI, unreleased films, company e-mails
  • EBay : Encrypted passwords, customer names, e-mail addresses, mailing addresses, phone numbers, dates of birth
  • Target : Credit and debit cards, customer details

The above breaches indicates that size and sector don't matter to attackers. All organizations are vulnerable to attacks, and the consequences can derail companies and their leaders' careers.
A typical approach of organisations to protect data is to implement point solutions to address the issues which are identified during an audit exercise or post identification of an incident. These point solutions provide solutions to specific issue in consideration, leaving aside the holistic picture or need to look at data security from an organisation wide perspective.
One of the key success factors to ensure an effective and efficient approach to securing data is to understand the maturity of data security within the organisation. This can be done by assessing the current maturity at different levels of People, Process and Technology and identifying as-is and target state to be achieved.
A simple 5 point approach to can be adopted to address data security:

  1. Access the current level of maturity with respect to People, Process and Technology.
  2. Understand and Identify the requirements to reach the next level of maturity.
  3. Identify the improvements & respective initiatives required to achieve the next level of maturity.
  4. Prioritise & implement the initiatives to be implemented to reach the to-be sate.
  5. Track, monitor and evaluate the initiatives on agreed parameters e.g. timeline, budget, benefits achieved, risk reduction, control effectiveness, etc.

The three key benefits of using a Data Security Maturity Model are:

  1. The organisation gets a detailed view of where does it stand it terms of the data security capabilities at the key aspects of People, Process and Technology.
  2. It can identify the target state which it wants to achieve based on the risks, resources available and organisation's objective.
  3. It acts as a benchmark to assess the current state and plan future state to keep improving data security capabilities with the organisation.
Rate this article: 
Average: 2.1 (9 votes)
Article category: 

There are 2 Comments

We can add "Philosophy" as an overarching maturity measure above People, Process, and Technology.
Immature entities may see Security as a necessary evil and control activity, and possibly as an impediment to doing business. Medium maturity entities might be working to more strongly integrate security into and aligned with the business. High maturity entities recognize security as a core requirement and secure thinking and behavior has become ingrained into the business culture.
We can also add "Data" as a maturity measure. Is sensitive or regulated data everywhere and anywhere? Is there some attempt or project to contain and isolate this data? Or, is it fully contained, isolated, protected, and monitored?

If your replaced "data security" with anything else say "identity management", "enterprise vulnerability management" or even "donut manufacturing procedure" in your simple 5 point approach, how would any of the five points be ay different?