Ganesh Kirti is the founder & CEO of TrustLogix in the data security governance space. He was formerly cofounder & CTO of Palerra.
As organizations continue to rely heavily on data for making strategic decisions, it becomes crucial to prioritize data security to protect valuable assets. The challenge is further exacerbated by ongoing needs for cloud migration, federated data mesh deployments, analytics, cloud warehouses and generative AI.
The roles of the chief information security officer (CISO) and chief data officer (CDO) are vital in ensuring secure data access, privacy and compliance. Partnerships between data and security teams and leadership can lead to increased productivity for data workers, risk reduction and faster time to market for data-driven projects. Data security engineering is the ideal bridge between these two teams, managing the needs of both to deliver on the KPIs each team is striving to achieve.
Collaboration Between The CISO And CDO
The partnership between the CISO and CDO should combine their teams’ respective areas of expertise to safeguard data and support the organization’s data-driven initiatives. By working closely together, these two roles can align security requirements with data initiatives, resulting in improved risk management and overall data governance. CISOs can guide risk monitoring controls, security policies and best practices, and CDOs can provision those policies during the dataset build process and ensure they have a defensible audit of policy enforcement. This collaboration helps ensure that security measures are implemented without hampering the agility and productivity of data workers.
The Need For Data Security Engineering
Data security engineering refers to the systematic approach of integrating visibility and access controls and practices into the entire data life cycle. By incorporating security measures from the initial stages of the dataset build process, organizations can help ensure robust protection of sensitive data throughout its life cycle. A key aspect of data security engineering is fostering collaboration between CISOs and CDOs, who traditionally have distinct responsibilities but share a common goal of safeguarding organizational data assets.
In some cases, it can be a shared responsibility between the CDO and CISO, whereas in other cases, one role may take the lead. The CDO is responsible for managing and leveraging data as a strategic asset within the organization. Although not necessarily responsible for data security engineering, the CDO plays a crucial role in data governance and data-driven decision-making. The CDO should collaborate with the CISO to align security requirements with data initiatives, develop data protection policies and enable secure data-driven innovation.
The following security plays can be integrated into the data security engineering workflows:
• Data Classification And Access Controls: CISOs and CDOs can collaborate to develop a data classification system that categorizes data based on its sensitivity and criticality. This classification enables the implementation of appropriate access controls and restrictions, ensuring that only authorized individuals can access and handle sensitive data. This joint effort helps ensure that security controls are aligned with data needs.
• Visibility And Risk Controls: Visibility and risk controls play a crucial role in ensuring data integrity and identifying potential vulnerabilities. CISOs need comprehensive visibility into data usage and must be able to identify risks and take necessary actions to mitigate them. Visibility controls include shadow IT detection, overly granted access detection, ghost user and service accounts, unprotected data, dark data, anomaly detection and automated risk assessments.
• Access Controls (RBAC And ABAC): Access controls are essential for managing and granting appropriate access rights to individuals or groups within workflows. Role-based access control (RBAC) and attribute-based access control (ABAC) are two commonly utilized methodologies for enforcing access controls. RBAC assigns access rights based on predefined roles, ensuring that permissions align with job responsibilities. ABAC, on the other hand, leverages attributes to make access decisions, providing a more granular and flexible approach. CDOs need an automated tool that allows them to implement access control policies at scale.
• Robust Security Policies And Standards: Through collaboration, CISOs and CDOs can develop comprehensive security policies and standards that align with data requirements and ensure the protection of sensitive information. This includes creating guidelines for data access, classification, retention and encryption, among others. By working together, they can establish a strong framework for data protection.
• Risk Management And Mitigation: By combining their knowledge and expertise, CISOs and CDOs can effectively identify and assess data-related risks. Through risk assessments and analysis, they can develop risk mitigation strategies, such as implementing data loss prevention mechanisms, auditing controls and incident response plans. This collaborative approach helps ensure that potential risks are proactively addressed.
Data security engineering processes, along with collaboration between CISOs and CDOs, are essential for organizations seeking to protect their data assets and improve productivity. By implementing a shift-left process and provisioning visibility and access controls as part of the dataset build process, organizations can help ensure data security from the earliest stages, reducing the risk of security incidents and enhancing the efficiency of data workers.
In a traditional world, CISOs need visibility and risk management tools, while CDOs look for access controls and entitlement management tools. The use of such individual tools will add to the challenge if they operate in silos. Ideally, a single data security platform that fulfills both visibility and access controls will help the CISO and CDO collaborate and avoid siloed tools and complexity.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?