Expert Tips On Meeting Data Security Challenges 

Tips from an expert panel of CISOs on meeting data security challenges in a digital world

InfoSec 2024 - Tips On Meeting Security Challenges

At Infosecurity Europe 2024, an expert panel of CISOs including: James Mckinlay, Head of Information Security,; Sean Turner, CISO, Twinstake; Owen John, Head of Cyber Architecture, Imperial Brands; Simon Goldsmith, Enterprise Security & Platforms Lead, OVO; and David Prince, Lead Advisory Partner, Istari, discussed how teams can meet modern data security challenges.

Why It Matters: Data breaches can affect organizations of all sizes with the average cost of a breach continuing to rise. Data privacy regulations mean your organization can be hit with a hefty penalty if you are found to be improperly securing data you collect.

  • The average data breach costs $4.45 million USD
  • The average cost of a breach has risen by 15% in the last 3 years
  • There have been over 5 million records breached so far in 2024 alone

What the panel covered: Learning and understanding how data breaches happen, how organizations can implement stronger data security practices, and the impact of having insurance.

The Challenges: What are the data security challenges teams are facing today?

  • The global threat landscape has never been this bad
  • De-parameterization – Data is everywhere, we’ve got to figure out what we’re doing with that
  • You can’t secure what you don’t know about. So many organizations have data in different places and we don’t know where it is
  • Executives are not worried enough about what might go wrong if we don’t invest in IT security. The very technical focus doesn’t always go well with legal and data protection focuses. The business always wants to go faster – which is a key challenge.

Supporting innovation: How do you enable the organization to innovate at speed, without creating risk?

  • Role-based access, data labelling, containers for different types of data. Stop putting data labelling and data tracking off! That should be one of the pillars of your security program. 
  • Having an IGA (Identity Governance and Administration solution) in place to ensure people can access the right resources, at the right time, for the right reason is key. 
  • Map where your current gaps are in your maturity and take those impact on the business financially and in terms of security.
  • Map out the critical economic functions of the business and how data entities relate to those functions. Then you can say why you care about the data integrity of the business. You can then start having a business discussion and start generating investment.

Getting It Right: You do you start putting data protection in practice?

  • Data labelling doesn’t have to be difficult or complicated. You only need to have 3 or 4 levels. Have a commonsense approach to get you somewhere along your journey to proper data classification, data attacking, and alerting. Do an experiment to test that people have understood the paperwork. Don’t try to deal with it all.
  • The how has to start with the people and the processes, not the technology. Change management will be very different in a startup vs a large organization. Prioritize people, process, and then technology. The general technology we talk about in terms of cybersecurity is not that complicated; the people and the processes are far harder. 
  • It is about people first and how you get them to feel ownership and accountability for the security of the data that they are responsible for.
  • Technology has now moved to the SaaS space. It’s more important than ever to look at third party risk management and SOC2. Understand who your critical suppliers are and get contracts in place so if they get hacked, they have to tell you. Get those reciprocal relationships in place.

Further Reading