Where is our data and how is it managed? That’s the fundamental cyber question Australian boards and senior managers need to ask as the regulatory environment around data tightens up both here and overseas.
The security conversation is shifting from just talking about threat detection and managing a cyber defence in depth for an IT platform and its network to full scale data management.
“The market is moving to a specific focus around data management,” says Ted Pretty, the chief executive officer at Covata, an ASX-listed data security provider with offices in Australia, Europe and the US.
“The reason I say data management is that data and security protection is just one element of the data life cycle.”
An organisation’s IT teams and network and application vendors should of course be handling the day-to-day technical risks of threat detection and management, says Mr Pretty, who will be speaking at the InnovationAus.Com Cyber Leaders: The Collaborative Imperative event in Sydney on May 15.
“Where the market is heading, and where an organisation’s management needs to focus is on data management, including data protection.
“What does that mean? It means you need to have a number of elements to what you are doing.
“One is data discovery which is knowing where your data is and who holds it and who has access or is authorised to use it,” Mr Pretty says.
Another element is having a data classification capability that works on the fly as data streams through an organisation.
“An auto data classification capability is where data is being created and it’s being classified in a way that defines who has access to it and how it should be treated with the sensitivity it deserves,” says Mr Pretty.
Then there’s the various data control elements such as identity management, data protection such as access policy rules and security classification or data masking or data obfuscation or encryption.
“And then you need a reporting framework that actively monitors the use of the data and provides a full audit trail,” says Mr Pretty.
“That’s where we see the market shifting. It’s around managing data through its lifecycle.”
The final piece of a comprehensive data management regime is that it has to integrate with the everyday applications that organisations use, such as Microsoft Office.
The shift to a data management perspective is a journey that Covata has already been through.
“Our journey has taken us from what was originally a digital vault for storing and accessing files to a platform that offers a number of services around discovery and classification, control and protection.”
The diverse nature of organisations’ infotech means there is no one size fits all approach to twenty-first century data management.
“There’s no cookie cutter approach to this because no two organisations are the same,” says Mr Pretty.
The move to comprehensive data management begins at the top. Mr Pretty says boards need to ask their in-house technologists and technology providers different questions these days, especially with the shift to cloud-based computing.
In the past, it was adequate for boards to ask questions around the integrity of an organisation’s basic digital security posture.
With regulatory challenges such as Australia’s mandatory data breach legislation and the EU’s imminent General Data Protection Regulation which sees transgressors being fined up four percent of the global revenues, board scrutiny of IT operations flows from a single, fundamental question.
“The next step for boards is to ask the bigger question which is can you tell me where the company’s data is,” says Mr Pretty.
“Can you tell me who has access to it, today or in the future, can you tell me whether third parties are managing our systems and can they see this data and what sort of security do those people have.
“And how does all of that fit into our daily business process?”
The reason boards need to move to a different kind of discussion around data management is because the regulatory environment has moved there.
“Boards have traditionally thought we better ask just a few questions of the CIO or the CISO about the technical elements of protection, but they need to be asking about the broader issue of what is their data position.
“What’s their data posture and what are the commercial risks of losing access to that data or having unauthorised access?
“What are the regulatory and reputational risks of someone getting hold of that data, what are the compliance and breach notifications and procedures and fines that could be put in place.”
Meanwhile, Covata is shifting to a more global focus, especially around Europe, as the question of data management becomes more critical.
Today, about three quarters of Covata’s customers are local, but Mr Pretty sees the mix shifting in the future to where half of Covata’s customers will be from Europe.
Covata acquired US firm CipherPoint, which is able to lock down Microsoft’s SharePoint collaboration platform in compliance with the EU GDPR regulations, which go live later this month.
Covata also recently entered into a strategic alliance with Germany-based dataglobal to acquire rights and intellectual property relating to dataglobal’s data classification and analysis products, as well as a worldwide OEM agreement for the entire dataglobal product suite of enterprise information management and archiving solutions.
Covata is a valued presentation partner with InnovationAus.com for the upcoming Cyber Leaders: The Collaborative Imperative forum in Sydney on May 15. You can secure you seat at this important event here.