Hi, this is Cal Harrison with information security media group with the third installment of this podcast series by sky high security on data protection today we're discussing efficient management of enterprise wide data protection joining us today as an expert on this topic nate Brady enterprise architect that sky high security nate welcome. Absolutely, I think this is going to be a great discussion on this topic. So when it comes to enterprise data, what do organizations need to protect and where do they need to protect it. Well, you know, as we all know Cal that like every organization today is data driven, you know we use data intensively to drive our businesses, you know we want to understand we use it understand what our customers want to buy how to market to them, how to you know run our operations efficiently keep our prices down use it for budgeting hiring inventory supply chain.
So you know you hear people say things like you know data is you know the new oil, and in some ways that's true, but I wouldn't say this is like oil in the ground, it is like oil you know in a car it just keeps everything running smoothly and efficiently. So to do that you know companies have lots of different types of data, usually we're thinking about PII PCI that kind of thing but if you think about it we really have a few different types of data you know the first one might be trade secrets So this is every company has some secret sauce that gives an advantage over their competitors right this might be about their manufacturing processes to be source code formulas for a drug supply chain processes there's so many different things that every organization you know does maybe a little bit better than their competitors gives them an advantage. And you've got market data right this is all that stuff about you know demographics and who's buying what buying trends and supply chain intelligence and that kind of thing that makes you know you your company able to make good business decisions. And then the more of the stuff that we're used to thinking about which is like your financial data right if you're a public company, you know, you've got things that you have to keep secret like income and expenditures profit laws earnings per share that type of thing then you'll obviously you've got employees right and they have names addresses ID numbers salary benefits you know that kind of thing that you know the dark web would love to have it would pay dearly for.
And then lastly we've got customer data right this is arguably maybe the most important thing because our customers trust us, you know with their data so that we can do business with them and obviously that's going to have things again like their name their address their purchase history you know all of that kind of stuff as well, not to mention you know payment information and other sensitive data so we've got a lot of different types of data that we've got to protect. And because this is kind of really all over the place right just having these data and using it for these purposes isn't new. What's really new is the way that we do it right it used to be you had some people in house you had a database maybe you had some software some of it may even been homegrown. And what we're seeing now is that people are using software as a service, and that is really what's driving some of this data to be outside of the company a little less out of our control.
We are data is everywhere, but really no matter where it's at, you know we've got every reason to protect it. You know we hear about data breaches all the time and and a lot of those different data sets that you listed obviously are prime targets. It's almost kind of like what's the use you know why the organizations need to worry about protecting data these days. Yeah because it's like it's everywhere so it's out there anyway so why about it.
Well, you know I think the first thing is in most cases it's just the right thing to do especially when we're talking about other people's data. You know but aside from that you know losing the data any type of data can be really painful and expensive. You know you can have a range of consequences obviously you know the the first part is that you know you can lose the trust of your employees or your customers right. They expect us to protect that data if we don't you know we can lose them so we can lose customers we can lose employees which you know that in itself is is you know maybe reason number one.
But you can also lose a competitive advantage right if you know if your secret sauce gets out there how you do something how you make something work. But you know if you've got a you know a year head start on somebody and that's able to give you a competitive edge and you give that up you know that could be the end of your company right. We've also got governments and you know self regulatory bodies like PCI for example that expect us to do this and have some rules so that if we want to accept credit cards for example there's certain rules. You know that we've got to follow.
So if we don't follow these rules right if we break trust that we break the rules you know there's a whole slew of bad things that can happen to us obviously if you're breaking laws of financial regulations you're going to get you know starts with fines and penalties and maybe even criminal investigations. Well as employee data obviously you know your employees might leave they might be upset with you again fine penalties lawsuits and difficulty to attract new people and retain good talent. And then maybe on the last one which would be the customer data again fine penalties lawsuits but man the goodwill of your company is shot. And your customers would just maybe go someplace else so we've got a lot of reason to protect all of this data and not necessarily just the ones that the government say we have to.
So you bring up a good point about lawsuits I mean there's I think we see class action lawsuits follow up reaches you know within a few days these days so you know that obviously can be really, really costly. Yeah it's a new ambulance chasing right. Yeah I mean that right often far exceed any kind of regulatory fine that that organizations get so how are organizations. How are they typically addressing these issues today.
Well I'll tell you I'm old enough to have been a part of the kind of the evolution of the industry over the past few decades right so I remember you know when organizations first started putting in you know email DLP or network DLP. And then we started getting into the web right when when Gmail and Google Drive and Dropbox started to be a thing so oh man we got to do something about that so we installed like some sort of web DLP and maybe integrated into our web gateways. Obviously the end point is you know especially when people start taking laptops home. You know we don't want to transfer stuff to USB stick you know and drop it in the parking lot.
The most recent will be like the cloud DLP where my data is not even passing through a perimeter at all. It's in the cloud you know I right click on it say share and then it goes right so it's not even really going over any sort of technology that I can do in line. So I need something like a CASB. So it's kind of evolved but it's evolved really in a almost like a point solution so you know what ends up happening is that we've got three to five technologies that we sort of accumulated over the year that does the same thing and maybe different parts of the IT infrastructure right and oftentimes, we have different employees that have completely different reporting infrastructure right emails managing their own web is managing their own you might have a deal key team that's actually managing the endpoint and that kind of thing it's really pretty common so what this means is that we've got to define what our sensitive data looks like and where it is in three or five different places, and each of the products is going to work a little differently, and it really ends up being a confusing situation for employees because they don't really know what's allowed and what isn't because the policy often is pretty inconsistent.
So again today really sum that up it's it's a lot of point solutions kind of all over the place. What you've described is obviously seems pretty complex. What can we do to simplify things. Oh yeah I mean it is definitely complex and as we know complexity leads to higher costs and probably the bigger issue is you know more opportunity for error right and as we talked earlier it's really important to protect the stuff.
You know and people are going to take excuses going hey it's really hard right you know don't blame us it's really hard thing you know they might feel bad but say hey pay up anyway or I'm going to go to your competitor on the street. It is complex but you know and I think it's in our best interest to simplify things because that is going to reduce the probability that we're going to make an error right so if we look back to when each of these existing products was implemented. You know we're going to see that the purchasing decisions are usually tactical right you know the email team realized hey I was emailing out all this stuff we got to solve that and then somebody was you know notice that somebody was sharing something on Dropbox and you know it's the same story with network and cloud and that sort of thing. You know over time we have maybe some solutions you know but now data protection is more of a boardroom concept right it's a organizational strategy and sometimes we'll see even there be their own C level officer in charge of security and data protection.
So really the first step in simplifying things is to have an organization wide you know plain language policy for data protection right so what type of data do we have to protect it why it needs to be protected. Who can use the data and maybe what are the rules for using and storing the data right so once you've got this plain language organization wide policy. Then the different groups can take a fresh look at their their control matrices and their tooling to see what they've got opportunities to consolidate and consolidating and reducing the number of tools is really going to help us reduce complexity and the chance that we're going to make an mistake and something's going to slip through. So kind of in recognition of that over the past few years you know vendors have been really consolidating right so you've got or used to be at email DLP vendors web cloud etc now it's really starting to consolidate and we've got a few vendors now that do all of them and actually recognition of this partner even collapsed its market segments and they used to have a web gateway and and CASB and they were separate and they had their own magic laundry and all that.
But they've collapsed that into something that they're calling you know the security server center or SSE. You're listening to an ISNG podcast brought to you by sky high security and now a quick word from our sponsor. Sky high security is pleased to release the 2023 cloud adoption and risk report since the global pandemic more and more organizations are relying on the cloud to manage the remote and hybrid workforces with your organization has a 100% remote hybrid or on site work environment sharing data in the cloud will continue to grow exponentially. Cloud security needs to evolve at a pace to handle the complexity of monitoring and controlling data flow and persistent challenges like shadow IT.
The new reality from a security perspective is that not only do organizations need to know where data is going in order to protect it but also where it's going in order to keep it from being exfiltrated. Download the latest report and findings and discover the right approach to securing data in the cloud. A top-down approach that focuses on the data itself rather than the traditional bottom-up process of starting from where it is stored. Check out skyhighsecurity.com today.
Yeah, and obviously we've got a lot of organizations out there with separate DLP technologies today. How can they move from this environment to SSE? Well, I think the first challenge a lot of times is really organizational and the decision-making process within a company. Right.
If you've got different departments kind of making their own rules for what data needs to be protected and how then you kind of preclude yourself from having any sort of platform approach right it's you're kind of boxed into a point solution issue. So I think the first part is to take a look at your decision-making process for how data needs to be protected, and also the buying process, because if every team is left to make its own decisions on what tools it's going to buy, the email team decides what email the OPE and et cetera. Then you can end up in that situation with more tools and more complexity than the organization needs, even though there are less complex solutions that probably are going to save you money. So really in order to reap the business benefits of SSE or consolidation in general, which is going to give you the reductions in cost and reduce opportunity for air that kind of thing, then we really need to consolidate that decision-making process around data protection and tooling.
Right. So for example, you know, the next time maybe one of the DLP components, let's call it the web gateway, is up for a refresher tool. Don't just go out and buy a web gateway, right. Take this opportunity to look at the broader needs of the organization and see if you can find an SSE solution, maybe that doesn't, it not only meets the web gateway requirements of today, but also satisfies maybe the future needs for email cloud and endpoint, you know, when the company is ready to maybe take a look at those as well.
Yeah, that makes perfect sense. So any examples of how organizations are making this transition? Oh, yeah, loads of them. I mean, this is really a problem across the board and being on the IAC Square Chapter board for Chicago.
I get an opportunity to talk to lots of architects and CISOs and everybody's really trying to tackle this. So it is a little bit of a slow process, but the ones that are having the most success are instead of trying to go right after a product. You know, they are going really more at the high level strategy and then making product decisions, you know, kind of a little bit higher level maybe than the use to. You know, I don't know if they want to use their names and I can say it's a call a health care organization in Chicago.
And I'm really good friends with some of the people in their IT organization and they have been for the past, I'll say five or six years, you know, reorganizing their people, and they're just now getting to that point where they're able to adopt an SSE. So hopefully I'll work with them and they'll select our SSE, but it is something I see all over the place I can take another energy company in the same situation, governments as well. You know, even our own defensive department here in the United States is doing things like this where you know we've got these different armed forces divisions, but some of this makes a lot of sense to to protect because they're all protecting the same. The same idea is right the same same state secrets so they have bubbled up IT security basically to all of the armed services branches so lots of examples out there that you can look at.
And obviously, a lot of organizations on different, you know, sort of pass them steps in the journey. What about organizations that are just getting started with the LP, what do you recommendations for them. Well, if you're just getting started, you know, the good news for you is that you can bypass a lot of the pain. The rest of us have gone through.
So that's, that's a good thing. The first thing I would say, if you're looking at the LP is the kind of resist the urge, you know, to solve for the elephant in the room, right, without considering all of the monkeys, because once the elephants gone, you know, that monkeys are going to destroy the place right so often this happens with things like Office 365, you know, maybe the pandemic through you and Office 365 and it's very tempting I see a lot of customers saying, Hey, we want to solve the Office 365 problem. And, you know, my first question is always, well, do you have other apps like, yeah, but we don't want to get to those now right we'll deal with that problem later. And if you, if you do that, you kind of end up boxing yourself into that same place where you've got several different data protection products and lots of complexity because there are ways to solve Office 365 that really only work for Office 365.
For example, so my advice to the architects out there listening is really actually going to be the same for everybody, whether or not you're new to data protection or, you know, you're a veteran is just take a step back and understand what your company needs from a just, you know, really a strategic data protection perspective, and then make your tooling choices based on that, rather than just what happens to be, you know, maybe up for refresh or the thing you're trying to buy today so take a step back and, you know, look at the future a little bit. Yeah, great point. I'm going to remember that about the elephants and the monkeys. So, so we've covered a lot of ground today any closing thoughts.
No, that's really it, you know, just we're always here obviously at sky and technologists and and love to love the chat so you know if anybody wants to chat about these things or have more details and what other folks are doing, you know, go ahead and reach out to be happy to talk. Well, this has been really enlightening, Nate, thank you so much for joining. Yeah, thanks again for having me. We've been speaking with Nate Brady at sky high security about protecting enterprise data part of our podcast theories on data protection.
Be sure to check out the other installments right here on i smg websites for information security media group on Cal Harrison. Thank you for giving us your time and attention.