In our work with Information Security (InfoSec) people at large, and with those in heavily regulated organizations, we typically find that they have the initial five steps in the cyber kill chain under control.
These primarily involve “building the moat,” i.e., making sure the perimeter is secure so that you can keep the bad guys out.
But when it comes to the sixth step — Data Theft — most organizations are just getting their arms around how they could protect data behind the firewall to reduce the impact of a breach, let alone actually doing so.
Data Theft Prevention: The Challenges
A number of reasons can explain the difficulty most firms face in trying to prevent data theft:
- InfoSec is new to the information management space, so they don’t have the expertise needed to reduce the risk of data theft effectively
- The organizational stakeholders who are traditionally responsible for managing information (records management, IT enterprise content management (ECM) application owners, legal) aren't aligned with InfoSec
- The technology available in house to manage information (i.e., ECM platforms, data loss prevention (DLP) systems and other endpoint protection) is for the most part woefully inadequate — because the technology is weak, the operation of the technology is too complex, the implementation of the technology is suboptimal, or end users aren’t sure how to leverage it effectively — or a combination of all four.
We do projects with 30 or more clients a year and have substantive conversations with dozens more, so we feel confident that this assessment of the state of corporate InfoSec is accurate. But given that the total universe of organizations is much larger than what we encounter, our experience is but a small slice of what’s happening on the ground across the industry.
Assessing the State of Information Security
With that in mind, we encourage you to take the survey below so we can gather data from a much larger subset of firms on how they’re managing data to address the Data Theft step in the cyber kill chain. The 10-minute anonymous survey will help us gather data which we will use to publish an assessment on the state of InfoSec and how it’s addressing information management risk in these pages.
As a participant, you’ll be able to get access to the raw, anonymized data as well as our analysis. If you wish to receive these, please provide your email in the survey so we know where to send them.
Thanks in advance for taking the time to share what’s going on in your organization.
Take the survey here.