Connecting state and local government leaders
COMMENTARY | By focusing protection where it’s most needed, agencies can more easily share data and create targeted, efficient and effective cybersecurity.
State and local agencies that don’t have enough IT or security resources to install even minimum controls are said to fall below the cybersecurity poverty line. They are stuck in a seemingly endless cycle of playing catch-up. Agencies do not have the funds necessary to invest in robust cybersecurity frameworks, so they continuously employ stopgap measures or overpay for solutions that do not address their challenges. As a result, they find themselves accruing more technical debt and growing ever more unprepared for a breach.
The COVID-19 pandemic exacerbated the problem, with many vendors overpromising and underdelivering cybersecurity solutions, causing agencies to fall further below the line. Now that the dust from the pandemic response has settled, it’s a good time for agencies to reassess their cybersecurity investments and target their efforts where it makes the most sense: Data itself.
Data-centric security is a highly cost-effective and value-driven approach that gives agencies more control and visibility over their data landscape and the risk it poses. With this approach, agencies can move from cybersecurity “have nots” to “haves” and gain the leverage they need to successfully defend against threats and enable their work.
Protecting Valuable—and Vulnerable—Assets
Second to its human resources, data is an agency’s most valuable asset. It’s also one of its most vulnerable, particularly when it needs to be shared. While network perimeter security is still vital and necessary, it has become insufficient in a world in which cloud services and remote work have made those perimeters virtually disappear.
With data more exposed, data-centric security becomes more important. The practice involves placing protective “wrappers” of encryption around data objects, thereby safeguarding those objects wherever they reside. Think of wrappers like bubble wrap that protect a parcel in shipping, except in this case, the wrappers can include predefined security controls and classifications specifying who can access the data, how it can be shared, where it can and cannot go and so forth.
These attributes can be assigned manually or automatically and easily controlled or adjusted. For instance, employees sending email with proprietary information need not be cybersecurity experts to exchange information securely. They can simply check a box on the email delegating or restricting access to the information contained within the message.
Data-centric security makes secure file sharing much easier. Consider a situation where different agencies must share information to serve a single constituent. Each agency may have its own systems, firewalls and security protocols. Normally, it may be challenging for a representative from one agency to access information from another—impeding each organization’s ability to effectively service the citizen. A data-centric approach, though, allows agencies to share information while protecting and controlling access to data easily, and eventually they can even collapse the data storage silos into one.
Building On and Enhancing Zero Trust
Data-centric security builds on and enhances zero-trust practices that many agencies have already begun to employ. Like zero trust, a data-centric approach is built around the core tenet of “never trusting, always verifying.” In the case of data-centric security, however, zero trust is extended beyond a single agency’s walls to include partner agencies, constituents and others. Agencies can apply their zero-trust policies to the data and ensure those policies are enforced even outside their network boundaries.
In this way, a data-centric approach provides agencies with a more secure way to approach cybersecurity, which is key to rising above the cybersecurity poverty line. Simultaneously, bringing security down to the data level allows agencies to simplify and focus their cybersecurity programs, making them easier to manage and more efficient without sacrificing strong protection.
Implementing Data-Centric Cybersecurity
Agencies struggling below the cyber poverty line or those simply interested in implementing a data-centric approach to cybersecurity should start small. They can begin by assessing which of their internal groups and workflows contain the most risk or high-value data. After first securing those objects and business processes, they can move on to other datasets and build from there.
Continuing to assess data workflows and risk as they evolve over time is key. Data-centric security is not a quick fix, but it can have a quick start, so agencies should allow for an ongoing process that can be continually adjusted to organically become a part of their regular cybersecurity hygiene.
Data-centric security, however, is not a replacement for other cybersecurity best practices. Identity access management, network perimeter security and other common strategies and tactics are still necessary.
But a data-centric approach will give agencies the assurance that their data is protected at all times. They’ll also have significant control over who is able to access information while expediting the sharing of that information, leading to better and more secure citizen experiences, even after that data has left the organization.
In short, by focusing protection where it’s most needed, agencies can create a more targeted, efficient, and effective cybersecurity practice that will help them rise and remain above the cybersecurity poverty line.
Rob McDonald is a senior vice president of strategy and field chief privacy officer at Virtru.