Chasing After the ‘Unicorn’ of Data Security

Most data security professionals say that their company has a “mature” data security strategy and infrastructure, but the companies actually have a long way to go, according to a recent study by Forrester Consulting commissioned by Varonis Systems Inc.

The report, “The Data Security Money Pit: Expense In Depth Hinders Maturity,” corroborates insights from 150 data security decision-makers, and highlights the disconnect between the 76 percent who believe in the maturity of their strategy against the 93 percent who have experienced “persistent technical challenges” in protecting the data of their customers.

At the core of these difficulties and desires is that any effective data security software and infrastructure requires an underlying strategy—which isn’t surprising to those who follow or are engaged in the field. What might be more surprising is how hungry these data security experts are for a unified platform that will help them clearly define that strategy while lowering costs. How do companies get nearer to that goal, as they wait for that perfect platform to arrive?

Throwing money at security doesn’t solve the problem

Forty percent of survey respondents report that customers demand their data be protected, and 76 believe their organization has a “mature or very mature” data security strategy. And the truth, according to Forrester’s research, is that these companies indeed have invested heavily in a number of discrete data security tools, such as those for managing risk, meeting compliance, encryption, monitoring, analytics, without actually reliably meeting those customer demands.

Forrester claims this approach is less “defense in depth” and more “expense in depth,” wherein “companies buy and buy to ensure marginal returns on their security investment.” In other words, the experts are basing their sense of maturity on the depth and breadth to which they’ve bought into various tools. And to correlate the two is a mistake.

The report says, “We’ve seen this before. Years ago when network security was without a firewall, companies bought numerous technologies to protect themselves. Once the next-generation firewall came out, companies realized they were, in fact, not mature at all.”

Claiming maturity doesn’t mean much

If all these data security experts have mature strategies, shouldn’t they be well past the core challenges? Not so—93 percent still experience regular technical challenges, such as keeping up with cyberthreats, encryption, and dealing with disparate products that refuse to integrate properly.

On top of that, one would think that all these technology investments would translate into strong management techniques. Instead, only 36 percent of data security experts audit their company’s use of customer data to look for potential abuse, and less than 40 percent of all types of data—including sensitive structure data and customer data—is encrypted, tokenized, or otherwise masked. Only a third can actually tell you where their data is located.

Some of this information doesn’t come as a surprise. We already know that IoT security is quite bad, and that even though certain new technologies, like blockchain, present opportunities for more coherent security, they also aren’t very mature as of yet.

It’s time to get unified

Perhaps the largest hurdle to improving security is finding a unified platform that satisfies all strategic needs. If such a platform also helps bring down costs, all the better. The report found that 90 percent of data security decision-makers are looking for a unified platform that will pull their disparate products together. According to Forrester, this movement could do the same for data security that modern firewalls did to network security.

Any platform that can accomplish this, while also satisfying the most important functionalities—the ability to control access to data, classify sensitive data, encrypt/tokenize/mask data, inspect data usage patterns, and ingest data from a variety of sources—would appear to corner the market. But that’s asking for quite a lot from any one solution.

In the meantime, the report says that companies need to expand their perception of what “sensitive” data is. Companies should think beyond compliance and start thinking about social responsibility. They should begin by asking themselves five key questions: Where is this data? Is it classified by sensitivity? How do you control access? How do you audit the access and use of this data? Is this data encrypted, tokenized, or masked?

These questions should begin a roadmap to finding gaps in the current state of data security, which might help businesses re-assess how they’re spending their data security budgets. The research suggests that companies that proactively close gaps and invest in solutions that create tangible returns will perform stronger than those who are simply biding their time for the perfect “unicorn” platform in data security.

Because it might never be more than a myth, after all.

More on this topic:

Cybersecurity