The Hidden Data Security and Compliance Risks of Organizational Silos

Are organizational silos opening up hidden risks for compliance and data security?

March 17, 2023

With the possession of data comes the responsibility for maintaining its security, privacy, governance and compliance, shares Mark Shainman, senior director of the data governance practice area of Securiti. This is no easy task for enterprises since the specific responsibilities involved in data stewardship – security, privacy, etc. – are often assigned to separate teams using different, incompatible tools, creating separate silos based on function. 

There’s a lot of truth in the saying that “data is the new oil.” Refined and put to proper use, data can drive efficiencies, boost revenue, empower better decisions and move any enterprise forward in a competitive race. But unlike oil, the supply of data is ever-increasing, and managing the 2.5 quintillion bytes of dataOpens a new window that are created every day has become a serious challenge. 

The problem is further complicated by the fact that data is scattered in repositories that are on-premise, in multiple clouds, in SaaS systems and in other systems such as data lakes and warehouses. Often this data is subject to multiple compliance mandates based on geographical location. While it can be a complicated ask for an enterprise to keep apprised of the various compliance mandates based on location or regulation, the responsibility falls squarely on their shoulders to manage that data accordingly.

Finally, there is the issue of dark data – data that the various teams are not aware of or that may be hidden in unsuspected places with no protection or compliance controls whatsoever. A gap of this kind can have significant ramifications, making it a high priority for organizations to minimize. 

Challenges in a Siloed Approach

Consider the challenge of maintaining compliance with the European Union’s General Data Protection Regulation (GDPR). Among the provisions of the GDPR is what is commonly referred to as “the right to be forgotten.” Any European citizen can file a data subject request (DSR) and demand, among a number of other options, to have all of their personal information that a company may have collected to be deleted. This means that an organization must have the necessary visibility over said data to be prepared to fulfill such a request when it is submitted. 

The penalties for non-compliance with these sorts of regulations are severe, and achieving compliance is not an easy undertaking. Customers, for example, may have their telephone number in a marketing database, their credit card information in a cloud storage system, their address (physical and email) in a CRM system, and so on – and that is only the beginning. Therefore, finding every instance of personal identifiable information (PII) is beyond the scope of what a privacy team alone can accomplish and requires collaboration with other organizational groups, including, but not limited to IT, security and others. 

There is one other significant problem with a siloed approach to data stewardship. When enterprises are not sure about where PII may reside within their company’s plethora of scattered data repositories, they cannot be sure that it is safe. 

In today’s data environment, enterprises are faced with two fundamental problems: discovering all their data, no matter where it resides, and determining what measures are required to protect that data. The ideal solution to both of these problems is a global approach where the control of sensitive data is unified. Moving to this goal involves a number of steps.

See More: The Importance of Hardware Security Modules in Data Security

Finding, Organizing and Enriching Data

The first objective of this process is to start by identifying all of the various data systems that exist in a hybrid or multi-cloud environment. This should include any dark data that may have resulted from lift-and-shift or other cloud migration processes. There was a time when such a task would have been considered next to impossible, but with the powerful combination of AI and automation, that is no longer the case.  

The next step is to identify and classify the various types of sensitive data that reside in these systems. The discovery component of the process is crucial for detecting any special attributes identified under relevant regulations. These classifications should include categories specific to particular regulations, such as the GDPR for Europe or the newly enacted California Consumer Privacy Act (CCPA) for the state of California. 

This data then needs to be enriched, e.g., with metadata relevant to the various siloed stewardship functions. The final step is to map all of this personal data back to the respective owner. Data mapping has become a necessity for enterprises, especially with the varying possibilities of DSR demands attached to new regulations. Revisiting the earlier example under GDPR, if a deletion request is submitted, that organization needs to know where all of the individual’s personal information resides in order to remove it. Once again, even just a decade ago, a task of this nature would have been viewed as too resource-intensive and too costly to seriously consider. However, the combined prowess of AI and automation can help accomplish the lion’s share of the work. 

The Solution: Unified Data Controls

The steps described here lead to a new approach, known collectively as unified data controls. This reimagined framework enables enterprises to not only discover all their sensitive data regardless of which organizational group is responsible for governing it but quickly determine how the repositories where it resides need to be protected to meet both internal policies and external regulations. Automated processes can be layered on top of this framework to speed up and simplify compliance when, as is most often the case, governance responsibilities are spread across various organizational silos. 

Protection and governance demands will only continue to increase with the exponential growth in data volumes that enterprises are experiencing across industries. Meanwhile, regulations that govern these data are becoming more and more complex. Implementing a unified data controls framework can help organizations deal with these challenges while bridging the gaps created by organizational silos, speeding up processes and significantly reducing costs. 

How are you breaking down organizational silos to enable smarter data security and compliance? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

Image Source: Shutterstock

MORE ON DATA SECURITY:

Mark Shainman
Mark Shainman

Senior director of the data governance practice area , Securiti

Mark Shainman is the senior director of the data governance practice area at Securiti. Previously, he spent 18 years at Teradata where he supported the company’s portfolio of cloud database and analytics software and services. Prior to Teradata, he was a senior research analyst for META Group specializing in database management systems for both online transaction processing and decision-support architectures. Shainman has advised global companies on their data management strategies.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.