Q&A with President and CSO Rich Mason, Critical Infrastructure LLC
Rich is a 20-year veteran of technology titans such as AT&T, Lucent Technologies’ Bell Labs, and Honeywell International.
In his role as President and Chief Security Officer of Critical Infrastructure LLC, Rich assists Fortune 500 companies and select critical infrastructure supply chain businesses in the development of their security strategy, organization, and personnel.
Rich also supports venture capital firms in the vetting and development of emerging technologies and provides board-level advisory services to publicly held corporations and technology startups.
We recently sat down to discuss the concept of sacred data as we move towards the cloud.
Grant: A topic you and I have discussed before is this common notion a lot of companies have in that they see all data as being sacred. Rich, is all data sacred?
Rich: This is a slightly tricky question, right? Companies have been sold this idea that all their data is sacred, and if they don’t yet know why, then they should hold on to it, or hoard it until they figure out its use. Which may work for a bit. At least until they get their bill for cloud storage services. Or until they try to make use of their data but find it’s incredibly difficult and time-consuming to sort through this murky data swamp they’ve polluted.
One way I tend to look at this is that sacredness is in the eye of the beholder. Meaning the same data has different value and risk for different groups. If you’re a security investigator, you’re going to want to hang on to your log data because it can have huge value for solving security cases. The legal side, however, may not want to keep too much data because that data could be a liability later. For example, if during a breach an old data set filled with privacy information was compromised. So they may need assurances that certain documents will be automatically deleted. For the business intelligence folks, they aren’t concerned with the security or legal aspects of holding onto all data. They want all historical information to mine and use to extrapolate trends, so in their minds at some point, any log can be turned into an asset.
So really you have different parties with different needs and risk tolerances that are all viewing the same data sets through different lenses.
The short answer is no, not all data is sacred. With the caveat that it depends on who you ask. That’s why nearly every organization is or will be facing the issue of data sprawl. Because it’s still easier just to hoard everything right now then actively categorize your data with intention.
Grant: You’ve been very forward-thinking about data classification and what makes data sacred for years. More so than many people even today. What are people getting wrong about sacred data?
Rich: I think too many in the security industry let the regulators and auditors define what sacred data is. And they use tools built for meeting compliance as a crutch. So all PCI data, all HIPAA data, GDPR data, and so forth are instantly sacred, but only as far as compliance is concerned. Security’s default baseline today is to meet compliance, but just being compliant doesn’t mean you are protected. Security professionals know this, but it’s an ongoing battle to get the budget and resources they need from the execs who view security itself as a box to check off. Because from an executive standpoint, security is there to meet compliance and then get out of the way.
What I get much more excited about is the sacredness of the “crown jewel” data. What data sets really set you apart from the competition? Where is your intellectual property kept, and who can access it? Same for strategic plans, customer contracts, pricing strategies; what your business is actually built from. What many executives — and even some security professionals — fail to understand is that compliance alone will not cover your crown jewels. And this data, if compromised, can lead to an extinction-level event for a company.
That’s why security needs to move from the “business of no’ to the “business of know.”
Grant: What does it mean to be in the “business of know?”
Rich: What I’m getting at here is how we move from the backend of compliance to the front edge of value. This is moving beyond the table stakes of security as a facilitator for meeting compliance. The security team is in a unique position today to step into more of an advisory role. Where they can stop being in the “business of no” — the team that tells you what you can’t do — to being in the “business of know” — the team that knows what data is important, who can access it, and beyond that, spotting trends in the data that could provide unexpected business value.
The security team ought to know more about what data sets are important to the organization and to whom they are important for, more so than any other team. Think about the financial earnings filings for a public company. Most CISOs don’t even think about this as an asset to secure, but if it’s seen by the wrong eyes at the wrong time, there could be major damage done if that info was to go public early. So security can start thinking beyond checking off boxes and coming up with new ways to defend the data that matters most. Being in the know takes a considerable amount of effort. You have to know what data lives where, who owns the data, and know what data is flowing in and out of your business at all times.
Grant: Do you have any advice for people to start being more purposeful about what they consider sacred data?
Rich: First, understand what you are in charge of protecting. A common mistake that many new CISOs make is thinking that they are going to be handed a playbook of all the company’s secrets on day one. The truth is, sacred data is tribal. You’re likely going to find that no two executives are aligned on the top ten crown jewels. They either don’t know, can’t agree or haven’t yet earned the trust to be granted access to certain sacred knowledge. This is why CISOs need to set about discovering sacred data systematically, not tribally. CISOs are responsible for the system on day one but may not immediately reach “elder” status — where they are seen as worthy of being passed on the knowledge of sacred data — if ever.
Second, understand that compliance is just the beginning. Yes, part of the job is following frameworks and checking off boxes. But security through and through is a people process. There needs to be a constant, ongoing and collaborative dialogue taking place between all parties involved and across the business. And boxes don’t talk back. They are a one-way conversation. So while you may start the security journey by following a framework or roadmap, make pit stops along the road. Talk to the locals, visit the town attractions. Create a story as you move along and make connections along the way.
The third is in changing how we define sacred data. We are getting to the point where automation technology is allowing us to move away from object classification and start using network intelligence to find where the sacred data is and who is accessing it. By looking at data flows over time, you should be able to classify where highly sensitive concepts (not keywords) are flowing between endpoints, applications, and users. This also lends to role-based classification, where you are not chasing down each individual file but classifying people in the context of their roles to figure out the sensitivity of the data they are transmitting. Stop looking at data in isolation and define sacred data through the value it holds depending on its lifecycle. This should be a continuous process as the value of data changes over time.
All data has a story to tell. You just have to know the right questions to ask. Figuring out your sacred data’s story is a lot like investigative reporting. Everyone you interview will have their side of the story. It’s your job to turn that into a clear narrative.