Data, Information Security and Cyber ​​space: protect billions of data or dollars?

(To Carlo Mauceli)
30/07/19

Most scholars and policy makers say cyberspace favors lawlessness while a minority of scholars disagree. In-depth statements on the balance between a crime in defense and offense in cyberspace are misleading because a correct balance can only be assessed with regard to specific organizational skills and technologies.

Too often we talk about equilibrium in consideration of costs: we tend to evaluate the balance that one case or the other is able to generate (where "balance" means the value minus the costs of offensive operations and the value minus the costs of defensive operations). The costs of IT operations are, for the most part, calculated based on the organizational skills needed to efficiently create and manage complex information technology.

If we look at the current scenario, the success of an offensive activity derives, mainly, from the bad defensive management and from the relatively simpler objectives that an offensive activity has. In fact, we talk about the "asymmetry" of the cyber phenomenon because of the extraordinary difference that exists between the attacker and the defender. Obviously this is not always the case.

For example, an empirical analysis shows that cyber attacks based on Stuxnet Iranian nuclear structures, most likely, cost the attacker much more than defense. However, the benefits perceived by both the attacker and, on the other hand, the damages perceived by the defender, were probably two orders of magnitude higher than the costs actually incurred, which makes it unlikely that the decision makers would concentrate on costs.

In this article, however, I don't want to concentrate on the costs I used as an introductory hat, simply to try to make the topic more "attractive" and, perhaps, more affordable for everyone.

What I want to focus on is the fact of trying to reason according to different schemes in which cyber defense can be used intelligently to attribute the right value to the most precious objects of each organization, after the people: data and information.

In recent years, cyber defense technologies have evolved rapidly to help companies protect their networks, restrict access and prevent data loss. And the market has witnessed an important escalation from this point of view.

What if we try to think differently now? What if we started leveraging all the principles used in our defensive data security strategies to take a more proactive approach? Basically, what would happen if we set out to think as hackers think, not only to counter them but also to attribute the right value "to the assets to be protected"?

What I mean is that data and information have a value that, if made evident through information and knowledge management tools and policies, can help technicians to defend differently "assets" of different value and can help CIOs and CISOs to ask for the necessary resources in proportion to the "value" to be protected.

Some data security tools and technologies can effectively provide better visibility into daily activity and can help us discover the true value of all the data we have protected. In fact, adopting an approach of this type can ultimately lead companies towards a greater awareness of the data they have in their hands and, why not, also to greater efficiency, new ideas and growth.

Machine Learning and Artificial Intelligence

Organizations have begun to adopt machine learning and artificial intelligence (AI) solutions in data analysis and data management for some time now. Why not apply these technologies in our approach to data security in order to extract a similar business value?

Many data protection tools, used defensively, allow you to identify and catalog information in network systems to better understand the different levels of sensitivity of that data. Machine learning and the metadata applied during this process allow you to take this understanding to a deeper level by creating context around the data that allows organizations to set more customized security policies for managing information.

These information management practices, in general, still fall within the realm of cyber defense - they are reacting to protect data against cybercrime. However, data protection technologies that use metadata allow you to tag data with various details and assign categories to extract its true value. Knowing the deeper context around the data allows the use of differentiated data protection strategies and tools so as to allow the business to go much further than usual.

As data protection technologies reveal the broader context of data, that context offers data security professionals a new way to talk to the executive leaders of the organization. In summary, they can show how valuable a specific data is, as well as determine which data is truly critical (and should have stricter protection) and which data is suitable for public consumption (and does not need advanced protection).

Measurement, monetization and data management

How many talk about data like "new oil" ?! After all, this statement has become a slogan. But how can we really quantify the value of this new commodity? If we can classify our data using metadata and begin to understand the context around it, the value will begin to emerge.
When we produce a document, we could start by asking ourselves different questions:

  • Is it a confidential document or is it freely accessible?
  • Was it tagged by someone in R&D?
  • Is it a confidential document that has been tagged by someone in finance?
  • Is it financial information of a patrimonial nature or does it simply represent a cash flow statement?
  • How long should it be kept?

And so on...

Suppose you can identify 10.000 documents containing R&D data in your system. If you know the context around those documents, you can begin to understand how much each of those documents is worth or what the financial risk to the company is in the event of loss or theft.

Some files and documents contain personal information or personal health information (PHI). The financial risks associated with this type of data have more to do with the fines of non-compliance, the possible monetary liability for customers and employees and the costs of overcoming the damage inherent in the reputation of the brand. Other documents contain data that could stimulate innovation and business growth and financial risk can be calculated based on potential earnings opportunities.

Through metadata tags on other types of files, emails and documents, you can get more information about customers or sales cycles. For example, if a company has a good quarter, you can look backwards to find out how many times the word "quote" or "RFP" has appeared in e-mails and documents in the last three months and begin to predict the results of the next quarter.

According to the Gartner research, within the 2022, the 90% of corporate strategies will explicitly mention information as a critical corporate asset. Currently, however, Gartner says, "... most information and business leaders lack the information and tools to monetize information ... because the value of the information itself is still largely unrecognized, even if the value of other intangible assets, such as copyright, trademarks and patents, is measured and reported. "

The monetization of information is part of the broader trend towardsInfonomics, a term coined by Gartner to describe the discipline of attribution of economic importance to information, despite the limits of the current accounting standards. Also according to Gartner, Infonomics also identifies "the tangible and intangible costs of managing, storing, analyzing and protecting data".

Companies that measure the value of their data can make smarter investments in data-related initiatives. By monetizing data, organizations can create additional revenue streams, introduce a new line of business, achieve efficiencies in daily business practices, and more.

A data protection strategy that proactively extracts value from protected data puts IT in a new position of consulting with executive leadership. The parameters change drastically: instead of simply saying, "We have a lot of sensitive data, and we need to protect them", you can go to corporate leaders and say,"Hey! We have about a billion dollars of data and we should manage them adequately, enhance them and protect them as we are probably not doing it."

We can't do it alone

Extracting value is not something humans can do on their own with a high degree of accuracy, and when it comes to data security, accuracy is paramount, whether you're taking a defensive or offensive approach. If you are going to provide a level of depth around your data to protect it properly or to determine its value, you need to be specific.

The training and requalification of machine learning algorithms to recognize the categories of personalized data, the accuracy and depth of the context around the information expand exponentially. Over time, users will get used to tag data with increasingly specific details to explain the context; which will increase the value beyond measure. It is the perfect example of human beings and technologies that work intelligently together.

Not only can information management behaviors become more specific to a company, protecting data at the appropriate levels and meeting security compliance requirements, but you can begin to understand data, or rather information and knowledge, as a real corporate asset with the possibility of bringing the business to a higher level of efficiency and success.

Photo: web