What Is Data Security Management? An Introductory Guide

What is data security management? What does it do? Why do you need data security management in the first place? Today let's discuss and find the answers to these questions. You'll also find a few tips to start your data security management journey.

This post was originally published on DataOps Zone

Have you ever wondered what data security management is and what it  does? Why do you need it in the first place? If you have, you’re in the  right place.

This post is about data security management and helping you find the  answers to these questions. If you need a firm grasp on the concepts of  data security management or maybe you’re wondering about its  responsibilities, this post has you covered. I’ll also give you a few  tips to start your journey. Let’s start with data security at the most  fundamental level.

First Things First, What Is Data Security?

A journey of a thousand miles begins  with a single step. Your first step is to understand what data security  means. In summary, it’s all about protecting the digital data of the  organization. Protecting it from any kind of threat. This sounds simple  enough, but in fact, there are four core principles you need to consider in data security. These are confidentiality, integrity, availability, and nonrepudiation.  You can refer to the first three principles as the CIA triad of data  security. Nonrepudiation is a bonus. Let’s discuss these next:

  1. Data confidentiality: This is what most people think of when it  comes to data security. This means only authorized people should have  access to the data, and it’s protected from anyone else.
  2. Data integrity: The key point here is the authenticity and accuracy  of the data. In addition, integrity makes sure data is in the right  format and consistent during its life cycle.
  3. Data availability: This principle makes sure that data is available  when required. As we all know data is key for the organization to  function properly. This is pretty much like me without my coffee. If  there’s no coffee available to me in the morning, I just simply can’t  get through the day.
  4. Nonrepudiation: Basically, nonrepudiation means guaranteeing the  ownership of the data. Like when you sign a piece of paper, you  guarantee that it came from you.

Think of data security like a musical orchestra. Those four principles  are the musical instruments of the orchestra. With this music analogy,  you’re ready to move on to data security management.

What Is Data Security Management, and What Does It Do Anyway?

Data security management is the governance and management of data  security. Let’s use the music analogy from earlier. Data security  management is the conductor of the “data security orchestra.” But what  does that mean? Conductors manage the orchestra by managing the  musicians. They make sure musicians play with the right instruments, and  they set the tempo. As a result, the orchestra plays a harmonious  sonata. Data security management is similar to an orchestra. It ensures  that people follow the right security processes and use the right tools.  And if all goes well, the result is a harmonious “data security  sonata.”

What else does data security management do? First of all, it translates  business objectives into meaningful data security objectives. Sometimes  it defines security processes. And sometimes it’s even involved in the  security technology bits. It all depends on the culture and the size of  the company as well as the kind of industry it operates in. In summary,  data security management makes plans, organizes, and controls data  security activities. And it defines data security key performance  indicators. These indicators will tell you when things go wrong. And  sometimes they do.

… But Wait, There’s Even More!

You need to manage the threats to the organization’s data. After all,  those threats could stop the business from achieving its objectives.  The kind of threats like bad guys wearing black hoodies or funny Guy  Fawkes masks in dark rooms. And of course, Mr. Robot. Jokes aside, there  are other kinds of threats. For example, what if your admins  accidentally delete important databases on a bad day? How about data  thefts, natural disasters, or physical damages? You need to eliminate  threats as much as possible by finding the delicate balance among data security, usability, and cost.

But what’s the right balance? For example, you could lock that data  up and throw the keys away. This might not cost you a lot, and it’s  security at its best, don’t you agree? Of course not. Because no one can  access that data anymore, not even the people who need it. You went too  far with data security and sacrificed data usability. On the contrary,  when you have great security and usability metrics, it could cost a  fortune. Good luck finding funding for that project.

To find the right balance, just think of data security as an investment.  This is the investment in protecting the data assets of the  organization. To do that properly, it’s time to assess the value of that  data. How much is it worth to the organization? How about the financial  penalties and reputational damages the organization has to pay when  things go wrong? Make sure you start asking these questions and having  these discussions with the key stakeholders of the business. With their  insight, you’ll understand if your data security project is worth  investing in.

This Sounds Like Too Much Fuss. Why Do I Need Data Security Management?

By now, I bet your head is spinning and you might be thinking, “This  sounds like too much trouble. Why do I need data security management in  the first place?” Well, going back to the previous music analogy, does  an orchestra need a conductor? Of course it does. One of the most  important responsibilities of a conductor is to communicate the  intention of the composer to the orchestra. This is exactly what data  security management does by translating the business objectives into  data security strategies for the organization.

Oh, but wait. We need to talk about the legal and regulatory  requirements. Think GDPR, HIPAA, FISMA, and a bunch of others. These  mandate data security for various kinds of data. This is a complex topic  and not for the fainthearted. Suffice it to say compliance is a must and a lot of work. Do you still need convincing that you need data security management?

How Can I Get Started in Data Security Management?

So far, we covered what data security management is and what it does. We  also clarified the all-important “why” question. Are you excited about  data security management yet? If you are, I thought I’d help by giving  you three key tips you can use. We’ll cover data, risk management, and  personnel. Let’s see them in more detail.

Know Your Data

Organizations generate, process, and store all kinds of data at an  amazing pace. They use various technologies in the cloud with a click of  a button—for example, big data,  machine learning, business intelligence tools, and pretty much any  other buzzwords you could think of. Watch out and make sure you keep a  close eye on these and consider the data security implications. For  example, container technologies have changed the technology landscape  forever. However, containers bring all kinds of additional security  threats and vulnerabilities you need to worry about. This means your  security tools and processes need to evolve next to keep up with  containers.

Without a doubt, these platforms will make your life more interesting.  And that’s OK; we all like the security challenge. This challenge is  even more complex considering the legal and regulatory implications you  should consider. After all, you need a firm grasp on your organization’s  data. Without this, you can’t protect it.

Risk Management to the Rescue

How does risk management come into play here? Just remember the core  definition of data security. At this point, surely you know it by heart:  to protect data from threats. A good risk management framework  discusses both the nature of data and the threats in great detail.  Please use a risk management framework; both your staff and auditors  will be grateful for it. Why? Because risk management is a well-defined  challenge in information security and experts figured it out already.  Frameworks give you the broad strokes and structures you need to tame  the risk management beast. Please don’t reinvent the wheel. Instead,  take a look at some of the industry-recognized risk management  frameworks. To name a few, there are the NIST Risk Management Framework, ISO 27005:2018, ISO 31000:2018, and COSO Enterprise Risk Management. Just pick one you’re comfortable with and off you go.

The Almighty Data Security Personnel

Last, but not least, there’s personnel. You need to have the right  technical skills and personnel at your disposal. Without them, you can’t  be successful in data security. Technical expertise is one of the  benefits but not the only one. You need individuals with great  communication skills who work well with others. After all, data security  is always a team effort.

However, finding and retaining people with the right skill set is a  challenge these days. Building a security culture within your  organization should be your ultimate goal. You can’t do that without the  right personnel so make sure you get it right.

Are You Ready to Start Your Data Security Management Journey?

So, there you have it. Now you  understand what data security management is and appreciate all the  things it does. Also, you were given a few tips to start or improve your  data security management. Next, make a list of actions you need to  start your journey. See where you fall short and make a plan to fill  those security gaps. Maybe start with a robust data security strategy  and adjust it if necessary. Use a risk management framework to  understand your risks and threats. Make sure you measure the  effectiveness of data security. And most importantly, enjoy the journey.