Too many companies are trying to patch together their digital transformation piecemeal. On average, they have 70 security solutions in place. Each one addresses a symptom, but they don’t make things better because they miss the big picture. In the end, they create more problems than they solve.
That was the assessment of Nick Nikols, vice president of strategy in Micro Focus’s security, risk and governance product group. Founded in 1976 and based in Newbury, England, Micro Focus has products that work together to offer security and governance solutions for large enterprises.
During a recent briefing given to TAG Cyber analysts, Nikols focused first on the big picture. He spoke of the need for a company’s data team, applications team and identities team to work together. Too often they don’t, he said.
He made his way through slides that led to the NIST Cybersecurity Framework’s data breach defense (first released in 2014). The familiar chart began with a company’s need to identify and protect against risks. Then it must detect, respond and recover from an incident. Nikols followed these with slides that identified Micro Focus products that facilitate the tasks required by each phase.
He moved ahead to take a close look at NIST’s recently released Privacy Framework. This new framework is modeled on its predecessor, and Nikols’s slides showed a similar chart and then Micro Focus products that help companies secure data and ensure privacy. The software can anonymize and encrypt data with the option of subsequently decrypting it. And the process can be automated.
Data lifecycle management requires lots of choices, Nikols explained. How do you want to set the access controls that establish who can see the data? What data should be preserved and made available? What data should be removed, deleted or destroyed? “Are we being good data stewards?” That’s the big question companies need to consider, he said.
Nikols’s colleague, Greg Clark, who works in the company’s product management division, talked about the privacy laws that have spurred so many new products, and driven so much activity, during the past few years. He mentioned the EU’s General Data Protection Regulation and the California Consumer Privacy Act.
As these were rolled out, Clark continued, general counsel everywhere needed analyses that could tell them how the new laws applied to their companies and their data. They also needed advice on how to respond to data access requests and the full range of client demands.
Some consumer preferences have required the creation of new tools. For example, Nikols said, if a video captures four people speaking, but only one gave his consent to be recorded, the software can autoredact the other three. In real time.
They have other tools available, he noted. Individuals can be monitored as they travel around a city by software that tracks the movements of their license plates. Obviously this raises privacy concerns, he acknowledged. It’s one of many new techniques that can be used. But should it? And under what circumstances? And who in a company makes that decision?
Clearly these are the kinds of questions that general counsel would want to be consulted on. But it’s not uncommon, Nikols said, for consultants to wire in governance controls they deem appropriate without actually communicating with the executives who ought to make these decisions.
And consultants are sometimes guilty of “entitlement cloning.” Administrators issue privileges or roles, and then consultants come in and build scripts telling employees the data they can access. But often they do so without the knowledge or direction of the business. For example, Bob has access to certain information. Tim looks to the consultants to occupy a role similar to Bob’s, so they give him the same access. It may be completely inappropriate—and it may also be difficult for the company to change those settings.
Micro Focus takes a different approach to data privacy. They talk to the client’s administrators and lawyers to review the organization’s governance, Clark said. They work through the rationale with the company’s team to ensure that its policies are based on affirmative decisions.
In the end, he said, the line of business should understand and affirmatively direct decisions. And it should have the ability to rewire or alter privileges when circumstances change.
The bottom line for Micro Focus is that organizations looking to digitally transform need a strategy that takes the big picture into account, while addressing cybersecurity and privacy issues holistically rather than in fits and starts.
They can begin by recognizing that there isn’t an “easy button” when it comes to addressing these challenges. Tackling them will require a much more organized and orchestrated approach. There are clear steps that can guide organizations to incrementally improve their security and privacy as they digitally transform.
Through better discovery, identification and classification of sensitive data and resources; better decision-making about what activities are appropriate for these resources (and which identities are allowed to perform those activities); and better enforcement of these decisions through implementing appropriate access and encryption controls, organizations can greatly improve their success in securely meeting their digital transformation goals.