A Myth of Information Security: All data needs to be protected!

When you think about the total amount of data that goes across an organization on a daily basis protecting all of it becomes a daunting, if not impossible, task. It is hard to wrap one’s mind around how much a gigabyte of data is, let alone trying to conceptually understand what a terabyte of data is! It seems that current regulatory requirements and Information Security professionals are saying that all this data needs to be protected? Not true… that is a myth generated to scare the masses! For most business units and organizations the reality is that only 5-10% of the data that transverses their infrastructure or sits within electronic and physical filing cabinets is sensitive enough to need protection.

How do we differentiate between data that needs to be protected and data that does not need protected? One answer is for us to embrace an enterprise wide data classification scheme that allows the owner of the data to decide which of their data should be treated as:

Highly Restricted
Sensitive
Public

Once data owners classify their data they can then make smart choices about which data to protect very tightly and which data not to protect as well. This also allows the site data owners to save money by purchasing tools or establishing business processes that protect the 5-10% of data that requires extra protection vs. trying to protect 100% of the data flowing through their work areas.

By focusing on the small amount (5-10%) of data that truly needs to be protected we can lessen the complexity and obtrusiveness of data protection and regulatory compliance while reducing the cost of people, time and dollars. This reduced focus and scope is beneficial to the organization’s bottom line.

Yes, there is certain data that we are legally required to protect and secure and doing so can require small sacrifices and inconveniences on our part, similar to having to wear a seat belt when driving a car. However, if we focus our attention and tightened security on the small percentage of data that needs to be protected we might actually find out that there really is such a thing as a cost effective Information Security program.

About mclaukl

Professional Certifications - Certified CISO, CISM, CISSP, PMP, ITIL Master Certified, GIAC Security Leadership Certificate (GSLC), CRISC. Kevin also holds Certificates in the Advanced Principles of Information Security and in Advanced Information Security Research Methods from Jones International University. Kevin L. McLaughlin began his career as a Special Agent for the Department of Army. He was responsible for investigating Felony crimes around the globe. He has had many careers over the years, including being a Police Officer in Kissimmee Florida, an Investigator for Mastercard/Visa, a Middle School teacher, a Director at Kennedy Space Center (where he worked with Fred Hayes, James Lovell, Armstrong, Sheppard, etc.), the President of his own company, an IT Manager and Senior Information Security manager with the Procter & Gamble (P&G) company (fortune 35), a CISO at the University of Cincinnati and a Senior Information System Security Manager for the Whirlpool Corporation (fortune 125). Kevin has also been an adjunct since 1992. While at P&G Kevin created one of P&G’s augmentation outsourcing teams in India. Kevin designed and implemented this India team and it won a global Gold Service award from Atos-Origin and has acted as a model for countless corporate relationships since. Over the years Kevin has: created an Information Security program conducted Information Security Strategic planning designed Information Security solutions, investigated over 700 Cyber cases and operated a Global Security Operations Center. • Education - MS in Computer Science Education, BS in Management of Information Systems * PhD in Cyber Security, University of Fairfax

View all posts by mclaukl →

M	T	W	T	F	S	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30