What’s the business cost of being unable to complete a task efficiently? A new post on MIT SMR’s blog “Improving Your Bottom Line With Cybersecurity” argues that it’s time to stop using scare tactics to justify necessary data protection capabilities.
Instead, it argues, look at the bottom line.
This is exactly right. Imagine you are a company in a highly regulated industry. What sort of information would you share, routinely, with other companies?
As with any business, the information you share day to day is about your core offerings – be those products or services. Industries that are regulated generally are so because of that reality.A typical software company, for example, might have PII about their customers such as email addresses, credit card number, etc. But it probably does not traffic in this data (or else, it would be some sort of service). As a result there isn’t the same level of regulation around software as an industry. Hopefully the need to share that information is limited to a handful of services (like payments) that are private and relatively compliant.
Yet in many regulated industries, when a business person wants to move a partnership or other cross-company relationship forward, and they ask IT or the security office how they can do that in a compliant way, they are questioned.
20 questions, at least.
What company are you sharing with? Are they an approved vendor? Do they hold a BAA with us? Do we have an NDA? Do we have a separate sharing agreement?
What sensitive information will be included? Is it all required?
Will this sharing have to be done again in future? Regularly? How often?
How many records are you sharing? Is the same sensitive information present in each?
Do they need to keep the information? In what format? Do they need to comment? Do we need to receive anything back from them? Can they forward the information?
Have they had a breach in the last 24 months? Have we reviewed their SOC?
What’s the business case for sharing this information?
Depending on the answers, the outcome will vary… from “make a business case”, which likely means no sharing for the immediate future, to “we need to find a tool that supports that.” Both outcomes likely require multiple round-trips with the compliance department to determine what may be appropriate.
What if we flip the approach around and answer the last question, first?
What’s the business case for sharing this information? “The business case for sharing information is core to our profitability and effectiveness with customers.”
From there, identify the compliance “buckets” you can put recipients into. Start to think in “zones”: green, blue, yellow, red… figure out what risk level is appropriate for the business value obtained from each and then what actions (from training to tools and automation) are appropriate.
Then identify the best tool or toolset to mitigate risk in the highest value zones, first.
For example, you may use cloud storage and sharing for the “green” zone of internal employees. Perhaps add DRM (e.g. Microsoft AIP’s RMS) for “blue” onboarded contractors who handle sensitive info, but not in bulk. Take a different approach for bulk transfers, and for collaboration where uploading is required. (Most auditor collaborations, for example, put both parties at risk of breach.) For sharing in the yellow and red zones, ensure you control the data and have full auditability with watermarking and no download (DL).
If you assign $ amounts to risk, you can pre-compute the answers to the 20 questions. Business users who are broadly uncertain how they can do that while complying will appreciate the lack of run-around. And as managers and leaders, the organization will benefit from using business priorities to allocate funds – not FUD.