For nearly 30 years, businesses have been focused on globalization, expanding into new markets, and scaling IT systems for a global customer base. Globalization promised to increase international trade, investment, and economic growth by creating a more interconnected and interdependent world. It was expected to bring about greater efficiency, innovation and competition, resulting in lower prices, increased productivity and higher living standards for people around the world.
As the global marketplace came together, it became increasingly digitally connected. For certain threat actors and nation-states, they saw this as an opportunity to steal valuable intellectual property, not to mention personal identifiable information of citizens around the world. This has led to a new focus on cybersecurity as a critical aspect of national defense and economic security.
As a result, data privacy laws have been on the rise. It started in the European Union with the General Data Protection Regulation (GDPR) setting new standards for data privacy and giving consumers more control over their personal data. But, in the last five years each country and each jurisdiction began fighting to keep control over their citizens’ data.
The cloud came into being with an assumption that location doesn’t matter. Thanks to the relentless nature of cybercrime, it turns out it does matter. Many countries now mandate that its citizens’ data must stay in the country. This is counter to the spirit of globalization and adds layers of complexity to delivering IT services and security. What we have now is a very complex relationship and tension point between geopolitical powers, enterprises and the economy.
Think about an enterprise that has a presence in 80 or 90 countries. Just knowing what the latest regulations are across all of these countries is a huge challenge for businesses, let alone making sure they abide by it across all the different systems and all the different complex environments that they’re leveraging. The challenge is tremendous. Over the next few years, penalties will become increasingly substantial. GDPR, for example, allows the EU to fine a company up to 4% of the annual revenue for a data breach.
We’re getting a sneak peek at what the challenges in 2028 or 2030 will be. Think about the complexities of the regulatory scrutiny that a company like TikTok is under with every country across the globe. Every regulator around the world is knocking on their door and telling them they want to know where TikTok is keeping their citizens’ data, and they want to make sure that nobody can access that data. Prove it right now. Fortunately, TikTok has 35,000 software engineers who can deal with this challenge. But most enterprises don’t.
The future requires data-centric security
The reality now is that how we secure our data must change. Instead of focusing on the infrastructure components of hardware, networks, applications, and identities, it is time to put data at the center of modern security programs. Until that happens, attackers continue to have the advantage, and breaches will persist.
Data owners and cybersecurity teams must leverage artificial intelligence, machine learning and automation to their full potential in order to keep pace with data proliferation creating an ever-expanding threat surface. Data is too easy to create and consume, and flows too freely across hybrid cloud environments for manual efforts to keep pace. Today, unsupervised machine learning can be leveraged to find relationships and associations across a company’s data landscape. Supervised ML can then identify exposures or vulnerabilities based on signals that expert humans establish and verify in order to avoid false positives and negatives. Remediation can be accelerated by inserting tailored guidance into automated workflows, and teams can leverage conversational AI to better analyze and interrogate findings using natural language models to assist with queries and research.
All of this must start by dynamically discovering where the data lives and the value it represents. Below are four critical capabilities that data security leaders need to implement to meet this new world of data privacy laws and regulations.
Identify sensitive data where it resides. Visibility is one of the most foundational and challenging elements to defending data. Modern businesses need to invest in technology that can automatically and continuously identify where data, both structured and unstructured, exists, who owns and accesses it, and where it flows.
Classify and establish deep context on sensitive data to determine how to handle it. Effective data security requires that defenders understand the value of their data and its intended use before effective controls or policies can be applied. Data security should enable the business to grow, and not block or slow the pace of innovation. Powerful ML and NLP algorithms parse structured and unstructured data, identify standalone sensitive data, as well as combinations of data that together represent identifiability that requires a given level of security or policy governance. The system continuously draws signals from the environment – metadata, settings, users, and applications – to maintain a useful sensitive data inventory that includes sufficient context on the data to inform how to secure it.
Automate remediation workflows to keep pace with your business. With deep knowledge of the data a business has, and both the value and exposure that it represents, remediations can be automated in line with existing processes. This is critical in the cloud era, because manual decisioning and execution cannot possibly keep pace with how quickly data moves and changes. It is also crucial, given the current economic environment, to make effective use of investments in tools and training. Bringing the automated discovery, classification and context, and remediation together with established ways of working means that an organization can make real strides in the direction of democratizing data.
Build a foundation for data protection. Data security leaders must enable security teams to reduce the attack surface, maintain operational resilience and preparedness, and optimize costs by defining data protection controls. They must take into account security, privacy, and other regulatory frameworks, data backup and management policies, and the environments where data can exist based on its sensitivity and value to the business. The opportunity exists to shift from focusing on reducing the attack surface, something that is at odds with harnessing the power of the cloud, to instead reducing the blast radius within an ever-increasing data landscape. AI, ML and automation, when used effectively, can help make that opportunity a reality.
Globalization and localization have hit a crossroads due to legislation and security concerns. How we proceed from here will have a significant impact on world trade and the global economy for many years to come. By prioritizing data security, we can be much more proactive about protecting sensitive information and critical assets.
While localized efforts to protect consumer interests will likely continue in the form of increased regulations and legislation, these are important reminders that we cannot become complacent to security breaches and cyber attacks. We must hold ourselves and those who possess our personal information accountable; we must stay vigilant in this endeavor as we move through the friction and toward proactive data security.