Who is Responsible for Security Enhancements in an Organization? Everyone!

Data is perhaps an organization’s greatest intangible asset.  Accounting principles say it can’t be valued on a balance sheet, but it is undeniable that the ability to harness, to transform and to understand data is paramount to an organization’s operating strategy and outlook.  Recent statistics even suggest that a small improvement in data understanding could increase a company’s net income by millions of dollars.1  This is a gripping statistic.  However, what is more compelling is that well over half of all organizations will experience significant data loss at some point due to a significant external event.2

This begs the question, who is responsible for security enhancements in an organization to ensure data loss prevention (“DLP”)?  The short answer to this question is everyone, starting at the top of the C Suite and extending down to the newest hire.

DLP should be aligned with the overall objectives of the business.  As with most things in the corporate sense, policy starts at the top.  This means that broad-based DLP policies need to be instituted from the executive level and carried throughout the organization.  Executives should consider polices such as limiting personnel to access only data that is needed to complete their specific jobs, access credentials and limitations on devices that can be used to store data away from company control and continuing professional education to ensure that all staff are aware of the existence and purpose of such policies.  These three factors are critical to enhancing security in a business because studies have largely revealed that most data leaks occur due to unintentional incidents from employees and outside vendors.3

Polices, by themselves, are unable to stand alone without enforcement.  After DLP policies are instituted, there needs to be broad-based systems and controls established that focus on both preventing and detecting possible threats.  Enforcement can take on a number of identities, but may include both passive and active administration.  Passive administration may include software designed to notify appropriate stakeholders when data is released to an unauthorized source or may include stringent processes that users must follow in order to move or access levels of data.  Passive administration should cast a wide net so that a number of external threats can be mitigated without continuous supervision.  Active administration, on the other hand, requires supervision through manual processes and testing.  Active administration may include an internal audit function conducting periodic tests of details and controls or levels of management that separate duties between preparation, authorization and custody.  These active processes should be conducted on a periodic basis with independence in mind so that personnel will not be bias in their findings.

The final key to successful security enhancements in an organization is continuous improvement.  This is largely driven by the entire team but starts with the lower operating levels.  DLP policies should define a set of feedback channels that allow for communication from the bottom to escalate to the appropriate managers who then have certain authorities to take action.  This feedback loop should be continuous and allow for meaningful revision of policies and assessment of operating protocols.  Initiatives in this arena should include ways to make processes more effective but less burdensome to complete.  Further, the feedback loop needs to be reliable such that the information is able to reach the appropriate party who then has the ability to actually implement the change.

Security enhancements in an organization is everyone’s responsibility.  Policy starts at the top and trickles down to even the newest associate.  These new associates are responsible for carrying out the tasks and providing meaningful feedback as to the operation of the DLP policies.  Managers are then required to escalate, as appropriate, and provide meaningful guidance on how to solve complexities.  In that light, DLP policies are not limited to software and hardware controls, alone.  Instead, these policies are strategic initiatives that should be aligned with the organization’s overall goals so that there can be a culture of continuous improvement from the top down and the bottom up.

Citations:

1Marr, Bernard.  “Big Data:  20 Mind-Boggling Facts Everyone Must Read.”  Forbes.

2Thornton, Katie.  “11 Stats on Data Loss You Need to Know.”  Datto.

3Ernst & Young LLP.  “Data Loss Prevention.”  Ernst & Young LLP.