AI/ML, Exposure management

Empower the organization for data defense and innovation

(Adobe Stock)

COMMENTARY: Nearly two-thirds of organizations oversee at least one petabyte of data, and 41% manage no less than 500 petabytes. To put that into perspective, a single petabyte represents the equivalent of one-half of all of the content at U.S. academic research libraries, or 11,000 movies in 4K.

With the total amount in the universe projected to proliferate to 660 zettabytes by 2030, the challenges will continue to mount for chief information security officers (CISOs) and their teams. Just as we’ve seen tensions surface between security and network professionals, we’re now seeing similar dynamics play out with the business side on data.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Not that this should come as a complete surprise: Practically every business group in an organization works with large data sets – they seek to analyze the most information possible to get the job done.

But, because they are not part of the security team, they aren’t often thinking about whether a data set is sensitive or confidential, or how much risk it could bring. And, of course, the surging – even ubiquitous – deployment of artificial intelligence (AI) only rapidly elevates data volume and, therefore, its associated risks.

This has forced a mindset shift for security departments: from that of a threat-centric team to a data-centric one. For decades, these teams have focused on thwarting cyber criminals, and they still are. But they must now also command a deep understanding about data flows and how to protect them. In addition, they have to strike the right balance of optimal governance/controls and the need for business units to maximize the value of data without onerous restrictions.

Fortunately, they can achieve all of these goals through proactive communications and collaborations. With this in mind, here’s a two-step strategy to empower business users while still safeguarding the data:

Establish visibility: This remains the first and foremost step – teams need to identify who “owns” what and how it’s used. Otherwise, the team won’t know who’s downloading sensitive data, and who might upload it to a large language model (LLM) tool to create unnecessary exposure. Today, everyday users have the capability to process all of this as if they were data scientists. That’s why visibility and control prove critical, to incorporate effective guardrails while not inhibiting productivity/strategies.

Educate users in real-time: A spirit of collaboration will help greatly. Teams need to get together with business units regularly to better understand their data-related processes while communicating to them what qualifies as “acceptable use” and what does not – especially “in the moment” that new data resources and tools come into play.

Teams may actually discover that many users outside of IT do not comprehend how much risk they face. On the positive side, nearly one-half of business executives cite data protection/trust as their top cyber investment priority. This bodes well for a partnership with the CISO/security team to develop and enforce best practices for safely working with data, as well as AI.

Such a partnership will hopefully eliminate the friction and frustration which often emerges as the business side acquires more and more data sets and tools, while frequently resisting – via shadow IT – attempts to enforce guidelines, rules and controls.

By educating “in the moment,” users readily comprehend why something gets blocked or flagged as a potentially risky activity, and are more receptive to these measures. It’s also helpful to offer viable, business-friendly alternatives to risky practices, to assure to users that security does not have to come at the cost of innovation.

While this particular tension may seem new, it’s really about the same conversation that’s been going on for years: Workers want to get work done. Defenders want to defend.

Which means it’s essential to ensure that collaboration, education and enablement are always embedded in data visibility and control initiatives. This will better protect the enterprise while keeping users happy with minimal friction, to dispel any stereotypical – and false – “Department of No” impressions about security teams.

It’s a formula for success – whether the company’s business units oversee the data equivalent of 11,000 4K movies, or much, much more.

Damian Chung, vice president of cyber defense, Netskope

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds