Four Critical Challenges in Implementing Data Security

By:


Large and very public data security breaches, such as were announced by Target and Nieman-Marcus at the end of 2013, seem increasingly common in frequency and astonishing in scope. Although the actual number of incidents in 2013 was down from 2012, according to Dataloss DB (http://datalossdb.org/ ), security remains a top priority for data professionals everywhere.

To find out what the biggest challenges are for businesses in addressing data security, we invited SQL Server and security experts to share their insights via a Twitter datachat (#datachat). Our #datachat panelists included: Brian Kelly (SQL Server MVP and Enterprise Systems Architect at AgFirst Farm Credit Bank), Denny Cherry (SQL Server MVP and founder of SQL Excursions),  Karen Lopez (SQL Server MVP and Sr. Project Manager / Architect at Infoadvisors), Darcy Lussier (SQL Server MVP and Solution Architect at Online Business Systems),  Mark Holmes (Senior Database Administrator at West Notifications), Argenis Fernandez (Senior Database Monkey at Survey Monkey, Nancy Hidy Wilson (SQL Server Specialist at T-Services North America),  and Thomas LaRock (SQL Server MCM and MVP, and Technical Evangelist at SolarWinds). (Plus, a special guest appearance from Eugene Spafford, leading authority on information security).

Challenge 1: Increase awareness and education of security best practices

By far the most common challenge in data security, according to our panel, is a need to increase awareness and education, both within IT and in the general business community.  On the IT side, Brian Kelley shared a statement from Jay Bavisi, a leading security expert and president of EC-Council, who posits that 99% of future IT workers don’t understand secure coding practices. (Interestingly, Kelley also noted that the EC-Council’s own web site was susbsequently hacked):

Kelley 99 Percent IT Doesnt Get Security

 

This pervasive lack of awareness about security—why it is critical and how it enables business, as Eugene Spafford asserts—keeps business leaders from making it a priority, as Tom LaRock notes here:

One reason for this state of affairs is that security isn’t included in IT-related curricula. For example, Denny Cherry asserts that most IT professionals don’t have experience with security because best practices aren’t taught, and security is rarely covered in college-level programming classes:

Cherry IT Pros No Exp Security

Cherry Lack Of Security In Curricula

 

Outside of IT, the lack of awareness manifests itself in business users when they bypass security measures, for example, by transporting sensitive data via non-secure physical measures, such as USB drives, or sending sensitive data via e-mail, as Darcy Lussier points out:

Lussier No Training Data Security

 

Challenge 2: Make security everyone’s business

One result of the lack of education and awareness is that everyone thinks security is someone else’s issue, as Mark Holmes tweeted and Karen Lopez echoed:

Holmes Data Security Is Other Guys Problem

 

Lopez Data Security Is Other Guys Job

The someone-else’s-problem approach is easy to see in action; Tom LaRock shared the example of developers coding applications using system administrator access without understanding the data being accessed or the risks in exposing it:

Larock 99 Percent Devs

 

Argenis Fernandez offered the example of end users who keep the often- insecure default access information provided for applications, even when they’re encouraged to change the defaults:

Argenis Insecure Defaults

 

Sometimes, this attitude shows up as a belief that if it’s inside the firewall, it isn’t a security issue, but as Brian Kelley points out, what’s inside the firewall is perhaps the biggest threat:

Kelley Insider Threat

 

And, as @phra95w17ch points out, social engineering, not technology, plays a significant role in exploiting that inside-the-firewall threat:

YCWF Social Engineering

 

In reality, Tom LaRock says, data security is the job of every single person—employee, vendor, contractor, partner, customer—who has access to the data.

Larock Everyone Responsible For Data Security

When any person in the chain of people who touches data doesn’t have this understanding, they contribute to the overall security challenge, according to Denny Cherry:

Cherry Everyone Responsible For Data Security

 

Challenge 3: Allocate adequate resources to data security

When businesses understand the importance of security, it’s easier to overcome the challenge of acquiring resources to support security implementations, another challenge cited by our panelists, including Nancy Hidy Wilson in this tweet:

Wilson No Budget Or Time For Security

Denny Cherry notes that this can sometimes even lead to security being cut altogether when a project’s budget or timeline is threatened:

Cherry Security Is 1St Cut

 

And Brian Kelley agrees that security implementations can run up against the demands of projects costs and schedules:

Kelley Security Affects Budgets Schedules

 

Challenge 4: Lobby to simplify regulations and streamline data security compliance and reporting

Finally, our panelists noted that geography and politics play a role in making security challenging. In Denny Cherry’s opinion, the U.S. has much to learn about data security, including data privacy, from other countries:

Denny Better Data Security Outside US

 

What has evolved in the U.S. is a complex set of federal and state laws and policies related to data security, creating a kind of patchwork of regulations that’s difficult to navigate, Karen Lopez tweets:

Lopez US Patchwork Of Security Regulations

 

Brian Kelley agrees, stating that this state-by-state approach complicates an already complicated set of issues:

Kelley Laws On Data Protection US

 

It’s important, too, not to lose sight of the fact that data security is a corporate responsibility that transcends regulatory requirements, as @phra95w17ch points out:

YCWF Security Corp Responsibility

According to Brian Kelley, data security and security regulations mandate a corporate balancing act, sometimes pitting shareholder value against the very real need for resources to support security initiatives:

Kelley Shareholder Value Vs Security

Embrace data security to transcend the challenges

In the end, despite the many issues that challenge businesses and governments in implementing adequate data security—from lack of education to lack of ownership to lack of resources to a daunting array of regulations—organizations must embrace security as an enabler. Eugene Spafford, one of the world’s foremost experts on information security, has long advocated that organizations must consider security, not as a burden, but as an enabler—something that allows you to have confidence in what you’re doing.

 

 

 

 

 

 

Leave a Reply