Originally published by New Context.
Lean information security is a method of taking an older concept and applying it to new challenges in an organization. Data is a big part of it. Today, it represents one of a company’s most significant assets—and its largest liability. Overall, data breaches cost companies $1.3 billion in 2019. That number will continue to grow due to continued digital acceleration throughout 2020 and beyond.
A key method for managing these data liability challenges is to return to traditional principles that help eliminate waste and close security holes. Lean security intelligence applies the early tenets of lean manufacturing to modern information security challenges and helps companies mitigate data risks.
The Basics of Lean
Lean is a method of eliminating waste in a production process. By understanding every step involved in taking a product from concept to creation, leaders find issues that require streamlining. There are five primary components to lean that most adherents recognize:
MAP THE STREAM
|Business value is the end goal of any process. Why is the product needed, and how will it further an organization’s objectives?||These are all the steps needed to create the product or service that provides value. It’s represented by a map that shows the flow of the original process.||The organization creates a new flow after removing potential waste from the value stream. This step ensures it works without the old wasteful processes.||Pull is a shift from creating products before demand is established. Instead, the company allows the market to guide its production process.||This component centers on making the process portion of an organization’s culture focused on continuous improvement.|
These are the original five steps as they apply to a production process—however, they require some tweaking to make them work in an information security setting. After all, the value of data isn’t in the information itself. It lies in how the organization will use it and the potential risk it creates.
4 Lessons for Applying Lean to Information Security
Lean is a continuous cycle. The steps occur over and over again, in perpetuity. There’s always room for improvement, so there’s always a way to enhance the program. This cyclical nature is instrumental in managing data, as data is ever-growing and evolving with an organization.
For this to apply, some of the basic steps need to change. There are four key lessons to use in lean security: awareness, simplification, automation, and measurement.
Awareness centers on a deep understanding of the data an organization holds and everything that can impact it. Aside from knowing the exact nature of data, whether it be personal information, necessary system files, anonymized information, or other details, it’s also crucial to understand:
- Lifecycles: Data lives in stages, from creation to distribution, use, and disposal. Organizations will have a mix of data, all in different lifecycle stages.
- Regulations: A wide range of laws and restrictions will apply to different types of data. Knowledge of these rules and limitations is vital.
- Classifications: Data must be classified based on its risk level. Simple, anonymized data should be separate from personally identifying sensitive information and tagged appropriately.
- Governance: What’s the existing process for managing the data, and does it meet minimum requirements?
A complete understanding of an organization’s data is necessary to establish methods of protection that can be simplified, automated, and measured.
The simplest data protection method is often the best, as it leverages existing resources and is easy to maintain. Consider the cloud-native environment and the protection of data within. In this, administrators remove the data from the infrastructure and apps rather than create complex security procedures to protect stored information. Data is held outside of the system and fed in as needed. This process makes it easier to terminate the infrastructure in the event of damage while protecting data from bad actors.
Automation can enforce compliance with security protocols and limit data exposure. Data is tagged based on its risk category, and then appropriate compliance and security steps are attached. This process will ensure protocol adherence regardless of volume, so the system can scale as data grows and changes.
Measurement involves the use of feedback to create actionable metrics for the guidance of improvement processes. This feedback is continuous so that it can address new challenges and controls. Proper measurement also enhances efficiency by showing organizations how they can improve existing processes.
Adapting with Lean Information Security
Lean information security builds on past principles by making them adaptable for ever-changing and growing data. Awareness, simplification, automation, and measurement allow organizations to improve without reinventing entire programs. Lean information security can eliminate waste, but it has a more important goal—to enhance the security of an organization systemwide.