Managing Risk - A Realistic, Cost-Effective Approach for Securing Data throughout Its Lifecycle

Abstract

Data breaches at companies such as payment card processors Heartland Payment Systems and RBS WorldPay as well as retailer Hannaford Bros. all of whom had been certified compliant with the Payment Card Industry Data Security Standard (PCI DSS), have proven the sad truth: compliance is no guarantee that an enterprise won't suffer a data breach. The problem is that PCI, like other industry and government security standards, addresses only segments of an enterprise ecosystem. Plus PCI is really meant to be a starting point -- basic best practices -- not a destination. Consequently PCI has some notable gaps, the most critical being that it currently focuses strongly on encryption for data at rest. While most data is at rest much of the time, securing only stored data leaves data unprotected at the point of acquisition or in transit, and attacks on these points are occurring with increasing frequency. As Rep. Yvette Clarke (D-N.Y.) said at a recent hearing on data security held in the U.S. House of Representatives, it’s time to “dispel the myth once and for all that PCI compliance is enough to keep a company secure. All enterprises need to move beyond basic regulatory compliance and develop their own customized plans to manage and protect data throughout its entire lifecycle. A risk-based classification process enables businesses to determine their most significant security exposures, target their budgets towards addressing the most critical issues and achieve the right balance between cost and security. In this interview Protegrity’s CTO Ulf Mattsson discusses the risk-analysis processes that can help companies achieve cost-savings while measurably enhancing their overall data security profile with a holistic plan that protects data from acquisition to deletion.