And biggest gap is between those who recognize the need for better, automated security solutions and those who are deploying them effectively

The State of Data Centric Security

While stories of corporate data breaches and hacker attacks make for attention-grabbing headlines, they're not the stuff keeping IT security professionals up at night. What is? Not knowing where an organization's sensitive or confidential data resides, according to a recent study conducted by the Ponemon Institute.

The June 2014 study, sponsored by Informatica, explores the state of data-centric security—an approach that assigns a security policy to data at its creation and follows it as it flows throughout an organization and beyond. Data-centric security is independent of the technology, geography, or hosting platform. The purpose of the research, based on a survey of 1,587 global IT and IT security practitioners in 16 countries, was to determine the readiness of organizations to embrace data-centric security practices and tools as part of a mission to protect the burgeoning reservoirs of corporate data assets.

In the following Q&A, Dr. Larry Ponemon, founder and chairman of the Ponemon Institute and the well-known security expert who spearheaded the survey, sheds some light on the findings.

Q: What was the hypothesis at the onset of the research, and what was the biggest surprise?

A: The purpose was to determine the readiness of companies in all global regions for protecting structured and unstructured data assets. Historically, the focus has been on securing the network or physical assets, and organizations have mastered that kind of infrastructure protection. But they are still novices on how to strategize around data-centric security issues.

The biggest surprise was the magnitude of the gap between the number of respondents recognizing the need for better, automated solutions for securing data assets to the reality that so few companies are deploying this technology effectively. That's very troubling because it's one thing to have companies that live in "la la land" suffer a data breach and wonder why, versus having people understand the risks but not necessarily respond with the right solutions.

Q: Let's go deeper on this. The majority of respondents (80 percent) recognize that not knowing the location of sensitive data poses a threat, but only slightly more than half are prioritizing security initiatives. How do you explain the gap?

A: It is surprising that people understand their organizations have a real problem yet they recognize that they're not doing enough and that they don't have the right resources in place.  My guess is the typical security team has limited resources and is fully occupied with putting out fires. Also, we find a lot of the problems around data-centric security are known to people in the trenches like the security analysts and technicians, but are not necessarily as familiar to senior-level management like CISOs.

Q: The findings show significant differences between companies' confidence levels in knowing the location of structured data compared with unstructured data. Can you explain the discrepancy and what it reveals about companies' maturity level for data security?

A: In general, it's far easier to secure structured data compared to unstructured data like emails and files. The folks that are doing security feel more comfortable securing structured data—they are more used to it and have been handling it for years. They have very little expertise in managing unstructured data assets so it creates a bunch of new challenges. However, in this world of data proliferation, it's the unstructured assets that are growing far more quickly.

Q: What changes are required for accommodating data security in an unstructured world?

A: There are issues of accountability and ownership. In the world of structured data, it's clear that sales and marketing have ownership of the CRM database, for example, but in an unstructured world, there are many users, all with accountability and ownership of information. It's much harder to create controls when the environment is so diffuse and the data is in the hands of so many people.

People trained in security also view IT as accountable for the security domain. But in today's world of cloud and BYOD, it's really a shared responsibility with IT serving as an advisor, but not necessarily having sole accountability and responsibility for many of these information assets.