Manage Learn to apply best practices and optimize your operations.

Data asset familiarity inherent to information security

When developing an information security strategy, it helps to start with determining exactly what data the business is responsible for and then implement necessary risk management measures. After all, how can you protect what you don't even know you have? Too many companies, however, don't understand the scope of their data assets and create information security holes, according to Robert Shullich, enterprise security architect at Tower Group Companies in New York City.

In this video from the RSA 2014 Conference in San Francisco, Shullich sits down with SearchCompliance editor Ben Cole to discuss why companies that remain ignorant of their information assets are dramatically increasing its data security risks.

In your position as an enterprise security architect for Tower Group, what are some of your top priorities to ensure information security and reduce risk?

Robert Shullich: It's actually in the privacy area. Tower is a property and casualty insurance company, so we're in the financial industry. We have a lot of regulatory compliance. We're listed on the exchanges, so you have stocks. We have GLBA. We have the breach notification laws. It's basically protecting a lot of the personal information, protection of the PII. It gets down to pretty much privacy. As a matter of fact, I report to the privacy officer. If you keep the data safe, there isn't that much more to do as long as you protect the data. That's what you need to protect.

What are some of the challenges in doing that, especially with all the modern threats that are out there?

Shullich: A lot of the threats that have to be dealt with are more of the insider threats. But an insider threat is when people walk away with PII or people who do dumb things, like clicking on links that allow them to get infected. It's hacking the human. Humans are a big threat.

What are some of the most dangerous new types of security attacks that companies should be concerned with? Also, what kind of security measures can help them overcome these attacks?

Shullich: Many companies work along a risk space, and the problem that we have, in my personal opinion, in several companies that I've worked for and consulted for, is that it's not like in an insurance company. If you're in life insurance, you do actuaries and you figure out how long the person is going to live. You can figure out those types of numbers. Those types of number crunching for risks, they know.

In information security, we don't know the components of the total risk, such as the probability that it's going to happen and sometimes what the impact is of what's going to happen. A lot of times, the business believes 'oh, it's not going to happen' or 'we'll never see it happen,' or that 'nobody wants our data.' They're not realizing that it's automated attacks and nobody knows who they're attacking anyway.

Most of the attacks are undirected -- script kiddies and everybody else. Within the threats that you know you have to deal with, you may have another threat out there. A lot of organizations don't know what their inventory is. They don't ever do data asset management, or they don't do it properly. Even if they're doing threat intelligence, and you get information like 'we have a threat against the Linux box.' Sometimes, people don't know what version of Linux they're running, how it's patched, whether the threat applies to them. They may assume that they don't have Linux.

More from RSA 2014

Collective intelligence could provide big data security boost for CISOs

CISOs, IT stare down the next generation of information security threats

I worked for a company before that said, 'oh, we don't have to worry about Solaris,' but they had acquired a company that had Solaris. Mergers and acquisitions can be very, very dangerous. Even after an M&A, you have to have that inventory. You need to know what your data assets are that could be attacked. You need to know who's attacking you. At some organizations, management doesn't know who their enemy is, or they don't know what the probability of an attack is going to be, or they don't know the impact. You need to know those numbers. If those numbers are miscalculated and they're on the low side, then there's a lot more risk there that's not being accounted for.

How can companies determine that information? Is it just a matter of research into what your risks are?

Shullich: I think a lot of the challenge is educating your C-level, even if you're a CISO. This includes educating management, the board. You have to talk in business terms. You have to show that this is the type of risk, this is the type of problem you're going to have. There are a lot of cases where things happen, and you don't realize it until somebody comes out of the woodwork. Take a third-party relationship: You have a third-party relationship, then you end that third-party relationship. Then a couple of years later, something happens. OK, that was our data. They still have it. What do we do?

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

View All Videos

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Its helpful to document expectations for the acceptable and responsible use of
information technology assets in an acceptable use or responsive use policy Identifying an owner, or responsible party, for physical hardware or software is
relatively easy information assets may be a bit more difficult to identify,
classify, and apply ownership

Good point - Genderhayes- who should be responsible for outlining/documenting these policies? With modern businesses responsible for endless amounts of data, I would think there are a lot of stakeholders that could muddy the responsibility waters a bit.
Preventing your organization from being vulnerable and becoming the next victim is more essential now than ever before. Enterprise Integration’s customized security solutions reduce your risk, minimize threats to your data and monitor your environment to provide proactive results keeping your information and infrastructure safe and secure.