Marie Kondo, an organization expert who helps people “tidy up” their lives by decluttering, has become a worldwide sensation. She expounds the virtues of tidying up, including how it reduces stress, simplifies your life, and creates feelings of happiness and serenity. Her advice about organizing the home and office has been featured everywhere from Good Housekeeping to Fortune and the Wall Street Journal. She has a show on Netflix. She's sold over 11 million copies of her books and they’ve been translated into more than 40 languages.
It’s fair to say people like tidying up. It sparks joy, as Kondo is popular for saying.
But this person- and home-based philosophy of tidying up does not translate to the corporate world. Quite the contrary. Businesses hoard data like it’s precious gold. In some cases, data is the currency that translates to more market opportunity, more customers, and more revenue. It many cases, though, it is simply data amassed, and organizations cannot realistically relate why they have so much data, if that data is accurate to-date, how it may or may not skew data analysis if it’s inaccurate, or how to meaningfully monetize the quantity of data they have in their data stores.
Now, this isn’t to say there aren’t companies utilizing big data like rock stars. There are. But there are more companies collecting and storing unnecessary data than the Amazons and Targets and Starbucks’ of the world. Ask any marketer how many undeliverable emails and bounce backs they get from any single marketing campaign. Needless to say, in this example, you’re only looking at one database.
The mass collection, processing, and storage of data has become the norm for businesses. And unless you’ve been living under a rock, you know that the number of data breaches and records lost in data breaches are going up year after year. As a security practitioner, you also know that these reasons are the impetuses behind the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights & Enforcement Act (CPREA), and many more data protection and privacy-focused regulations that have come to pass in recent years. These various and sundry regulations aim to put more control over data use and data deletion into the hands of consumers and require businesses to provide auditable processes for secure data handling.
Despite all of this, businesses “are not focusing on data-centric security. They are spending most of their time and resources trying to secure the perimeter, using same approach they have for years without applying security controls where critical data assets are. And the breaches keep coming; businesses end up losing more data than desired,” said Sameer Ahirrao, CEO and founder of Ardent Privacy, a data security and privacy firm based in Maryland. “Despite all the security tools and technologies we have at our disposal, we continue to see breaches like Marriott, where, not only did they lose millions of customer records, but they couldn’t accurately report the number of records lost in the breach. Companies have serious challenges keeping track of all the sensitive data they have.”
True enough, during our recent conversation Sameer and Ed joked about how, when a company declares a breach, they will cite X number of records lost/stolen/accessed. Yet, anyone who is curious and pokes around on the dark web, can see cyber criminals starting that they have X times 10 for that same data dump! Maybe the corporate statement is meant to minimize bad press, but likely it’s also a reflection of obliviousness to the extent of organizational data collected and stored.
The more data a company has, the greater the risk of data breach and compliance issues around proper collection, usage, sharing, processing, and deletion. This is the problem Sameer and Ardent Privacy are passionate about solving: “We need to focus on where sensitive data is and put security controls around it rather than assuming security around the entire infrastructure or perimeter is enough,” he said. “Because companies have too much excess data, they are increasing their business risk with every unnecessary piece of sensitive data they hold on to for too long.”
Ardent’s technology is a machine learning- and artificial intelligence-driven platform that helps companies identify and map sensitive data then reduce the footprint of data through minimization and/or deletion. The Ardent Privacy platform scans companies’ data stores looking for PII, IP, and other sensitive data, as well as identifying unused files. Based on metadata, Ardent analyzes data attributes, such as creation and modification dates, last accessed date, number of bytes, document types, and any classification applied by the data owner(s). Next, Ardent calculates a risk score and provides recommendations on files for minimization, which includes secure data deletion, moving data to another location, or making it available only off-line.
“Sameer told me and Ed, “Ardent Privacy solution looks at data repositories, pulls telemetry from the metadata, analyzes the state of the data, then allows companies to make risk-based decisions about whether to keep or eliminate excess data.”
Unlike tidying up around one’s house or office, tidying up your organizational data may not spark joy. However, reducing the risk of data compromise, lowering the cost of compliance, and eliminating overexposure might go a long way to job satisfaction and job security. Ardent is not trying to be an-end-to-end data protection solution—it’s just one piece of the pie—but there is no doubt that reigning in data by identifying what it is, where it is, and targeting certain data stores for minimization and/or deletion provides the measurable, demonstrable security benefit of saving companies from losing excess data in a breach.