Dealing with VUCA: How to Build Agile Data Protection for Uncertain Times

Originally posted at https://www.intelisecure.com/dealing-with-vuca-how-to-build-agile-data-protection-for-uncertain-times

VUCA is a concept that originated with students at the U.S. Army War College to describe the volatility, uncertainty, complexity, and ambiguity of the world after the Cold War. The concept has acquired fresh relevance as we seek to characterize the current business environment—and develop the agility necessary to navigate it successfully.

The elements of the VUCA concept help organizations contextualize the challenges they face:

• Volatility describes the dynamics and speed at which change happens
• Uncertainty defines the unpredictability of issues and events that may affect the business
• Complexity refers to both the number and interplay of issues that need to be addressed
• Ambiguity points to the potential for error when challenges are unclear and unknown

Defining the context of business in this way is useful because the world is moving faster than ever. Organizations are turning to Agile methodology to navigate the rapidly changing landscape. And digital transformation and other change initiatives are happening at an unprecedented pace.

For Information Security leaders like you, addressing this dizzying barrage of challenges requires a fundamental shift in the way your organization addresses data security.

A Moveable Model: Agile Data Protection

The VUCA business climate demands a shift away from Change Management, where a change from one normal operating condition to another is managed carefully, to Change Leadership—a model in which change is perpetual and there is no expectation of a “normal” or static operating condition.

“We’re entering an age of acceleration. The models underlying society at every level, which are largely based on a linear model of change, are going to have to be redefined… Organizations are going to have to redefine themselves at a faster and faster pace.” — Ray Kurzweil, Director of Engineering at Google

The best way for your security team to adapt to this new environment is to adopt a VUCA mindset as well. You must be prepared to move and change quickly as the business around you changes. Static defenses and programs are no longer effective or relevant. Instead, data security programs must focus on being agile and protecting what is universally important.

The complexity of data protection makes the shift to a state of continual adaptation difficult. However, by addressing each VUCA element in turn, it’s possible to change the way your organization thinks about information security. 

Sidestep Volatility: Focus on Critical Information Assets, not Technologies

The importance of focusing on critical assets first cannot be overstated. For several years, information security teams have been able to spend money without defending their investments. In the current economic climate, those days are likely over.

You must justify your security spend. For many organizations that means consolidating and investing judiciously in technology and techniques that yield high ROI.

Making the business case for security starts with the ability to define what we’re protecting and why. Start by defining the information assets that are most important to your organization such as:

• Regulated data like Personally Identifiable Information (PII) and credit card numbers
• Intellectual Property like trade secrets and pre-patent filings
• Other sensitive information that provides a competitive advantage like risk models or customer lists

When resources are scarce and every department is facing budgetary pressure, those who can make the best business case get the funding they need.

Limit Uncertainty: Measure Data Security Risk

The next step is to identify risk to your critical information assets. Here, remember that the most valuable information is not always the information with the greatest risk. In many organizations, the most valuable information is heavily protected. But large volumes of information with a smaller per-record value has weaker protection.

A classic example is a company that has a secret recipe. The controls around digital copies of that recipe are extremely rigid. It’s as if the recipe were housed in a digital Fort Knox.

However, that same organization might have massive amounts of customer PII in an unsecured Amazon Web Services S3 bucket. Perhaps the IT team wasn’t properly trained in cloud architecture, and when the organization embraced cloud services, they failed to implement a technology to monitor those configurations.

How do you measure data security risk?

The classic risk equation is:

R = AV x EF

where R is risk, AV is asset value, and EF is exposure factor.

Exposure factor is often tied directly to the community of users who will interact with an asset. In our example, the number of people who need to interact with the secret formula is relatively small, so complex controls can be put in place to limit access.

In contrast, a large number of people in the company access the customer lists. They may even share that information with third parties. As a result, the controls must be looser so that security doesn’t interfere with business operations. That broad exposure factor multiplies the risk.

However, it is possible and prudent to put safeguards and monitoring solutions around the customer lists. You must define authorized transactions to ensure that unauthorized movement of the PII doesn’t take place. To deploy those controls, you must have a thorough understanding of the data, how it’s used, and the risks to that data. And you must educate users about why those controls are in place.

In this example, it’s also important to understand that we’re not interested in avoiding the risk. Risk avoidance has a business cost that is often unacceptable. If your security team tells business users they can’t perform an action, use a technology, or embrace method that gives them a competitive advantage, the business will circumvent your rules. Our role in security is to mitigate the risk to an acceptable level.

Reduce Data Protection Complexity: Set Your North Star

In a world of constant change, human beings have a psychological need for consistency. If we are heading north, we may take countless roads to get where we are going. But in general, we want to know that we are still heading north. We need to see the big picture—and keep our primary goal in front of us.

This is also true for executive leadership teams and boards. From a security perspective, we must provide a “North Star”—that is, a clearly defined overarching security principle—and demonstrate the flexibility necessary to modify our tactics to fit the changing landscape around us. If we can do both, it is likely the executive leadership team will trust us to secure the organization.

What is your data security North Star?

The North Star should be a data security program charter. InteliSecure calls this charter a Critical Asset Protection Program Scope. The idea is that we will:

• define the most important information
• create a roadmap for protecting it, at a high level

The roadmap will change every quarter. But the information assets are unlikely to change unless the fundamental business changes—such as in the case of a major acquisition.

The program charter is not about individual capabilities or technologies. You should be able to switch out every security technology you own with no impact to the charter. If you can’t, your charter is built around a vendor or capability rather than the information you are trying to protect.

Adapt to Ambiguity: Build a Modular Data Protection Program

Once your North Star is established, you can begin to evaluate what capabilities are necessary to accomplish your protection objectives.

What is a capability requirement?

For example, you may decide that Amazon Web Services are going to be part of your ongoing development strategy. As a result, you need the ability to monitor and protect the sharing of sensitive information in data repositories inside of AWS.

You may also realize a small number of employees have access to extremely sensitive information. You may want to deploy additional monitoring capabilities to their machines to ensure they are complying with your acceptable use policy.

These capability requirements are the foundation of your modular data protection program and inform an effective technology evaluation. They are not a laundry list of security technologies that are purchased of their own sake. You may not need the same technologies as other businesses.

Security technologies are not Pokemon. You do not have to “catch them all.”

The technology solutions you need may vary by use case, but in general, they will fall into a few broad categories.

• Data and Network Security—This is the largest category and often most directly linked to the information you’re protecting. The category includes traditional network technologies like firewalls and secure web gateways as well as data-centric technologies like DLP and Data Classification.
• Cloud Technologies—Cloud Access Security Brokers (CASB) and Cloud Security Posture Management (CSPM) technologies are a large technology category on their own.
• Identity and Access Management—This category covers technologies like Single Sign On, Identity Governance, Privileged Access Management, and Multifactor Authentication.
• SIEM Solutions—This space is focused on identifying patterns and responding to anomalies.
• Endpoint Protection Platforms—This final category has become an area of focus as companies have implemented more remote working arrangements.

Essentially the modular program will look something like this:

The idea is that the model can flex to add new disciplines if necessary, but changes at that level are rare. However, individual technologies—that bottom row—can be added or removed at will under each discipline to meet changing objectives. The Critical Asset Protection Program—your North Star—would not change.

Building a modular program enables your security team to be both agile and consistent and will allow you to evaluate your technology decisions through a risk framework that is specific to your most critical information assets. You can also use the framework to evaluate existing security investments if budget cuts are in your future.