Customers have lulled themselves into a false sense of security.
I have the opportunity to speak with customers daily, and when the conversation evolves to data security, these are usually the responses I receive:
- “…we have RAID protected data…”
- “…we have redundant controller architectures…”
- “…we do replication to another secure facility…”
…and the list of data protection bullet items continues to grow. In my head, I can only imagine the conversation taking place is something like this:
|IT Chief Architect:||Hello Ms. Auditor, come on in.|
|Ms. Auditor:||Hello Mr. Architect. I am here to do an audit of your data security to report back to our senior leaders.|
|IT Chief Architect:||That is fantastic, and I can assure you, all of our data is protected under lock and key, surrounded by the finest chains money can buy, and kept in a very safe non-disclosed location.|
|Ms. Auditor:||Well, that is simply fantastic; I feel my audit is complete. I only had three requirements and you have answered them all:|
|.||Audit score is 100% compliant! I will see you next year and Happy New Year.|
This is the security protection I find discussed and delivered by some IT shops. However, as you can see, this vending machine also passes the same “audit” checklist:
In the backup discipline, leadership usually does not care about a backup, but all of them certainly care about the restoration. The same holds true within the security discipline. All is secure and tidy as long as there is no data breach. The moment the perimeter is compromised, everyone becomes interested in the audit results and asks “how could this have happened?”
Here is what I recommend, take a fresh audit of your questions, not the answers. You cannot expect valid answers if you have invalid questions. If you do an annual security survey, or any survey for that matter, it may be wise to never have a repeat question from year to year. You may just find out a piece of critical data by asking the question in a slightly different angle to poke in areas not explored before.
When I ask customers:
- How many do data at rest encryption?
- How many destroy your failed media drives?
- How many would pass an independent audit… not predicted – but today, right now?
…everyone usually looks around the room…in horror…
With the recent data breaches at major retailers, and ones that take security and data protection to the highest levels, all of us should take some advice and take a renewed look at our questions, not the answers.
*Credits to Vickie Agolli for the great picture and for playing the role of Ms. Auditor.