Pardon Me. Would You Have Any (Grey Poupon) Data?

Pardon Me. Would You Have Any (Grey Poupon) Data?

By Steve Gold
Posted in Security
On May 23, 2023

If you get the joke behind the title, you’re either as old as I am or spend hours on the Internet searching for 80’s commercials. Either way, good on ya!

In 2006, Clive Humby, a British mathematician and data science entrepreneur, coined the phrase “Data is the new oil.” Humby meant that data, like oil, isn't useful in its raw state. It needs to be refined, processed, and turned into something useful; its value lies in its potential. Many others have come up with different interpretations and you’re about to get mine now.

I believe the phrase “Data is the new oil” wields a social effect. It communicates data’s power and lucrativeness in the digital age. This is proven by the continual increase in breaches caused by ransomware solely to gain access to data.

During a ransomware event, data is either exfiltrated, encrypted, or in most cases, both. The systems that store/access the data are also typically disabled. Paying the ransom “should”:

  1. Enable all the systems and decrypt the data
  2. Prevent the exfiltrated data from hitting the dark web or being sold to other malicious groups
  3. Prevent you from being attacked again

However, as we know, “should” rarely happens.

This leads us back to the last two Controls. You can’t protect what you can’t see. If you don’t know what data you have, where your data lives, what’s in your data, and who’s accessing your data, you can’t protect it. This Control and these next few Safeguards are going to address how you can protect your data.

It is imperative for organizations to develop a data management process that includes a data management framework, data classification guidelines, and requirements for protection, handling, retention, and disposal of data. We’ll dive into the most important components over the next few posts.

Here’s the CIS definition of this Control/Safeguard. If you want more detail, DM me.

CIS Control 3 – Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Implementation Group 1

CIS Safeguard 3.1 - Establish and Maintain a Data Management Process

Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.