Eliminating the blind spots: How to be accountable for an organisation’s overall security

Abstract

The aim of this paper is to share my experiences of being accountable for an organisation’s overall security and the challenges I have faced. In particular, this paper focuses on being accountable for the protection of data. I found that it was impossible for me to achieve my goals given that you cannot protect what you cannot see, which is true for so many aspects of the security world. I found that to be in a position to protect data, I first needed visibility and then needed to ensure that the business was able to manage and control the data. Depending on the size of the company, it often falls to information security to drive such initiatives, as often the security technologies are able to provide this visibility and the security policies support the control and continued management. Specifically, this paper has a tight focus on building foundational capability that can support data protection, life cycle management, integrity and many of the other components needed for data management, touching on each but not in significant detail, as these topics justify papers in their own right. My hope is that if, like me, you are in the sphere of managing data, you can take some comfort that you are not alone, and that this paper has mirrored some or all of your journey, or that one or more of these insights and lessons learned are helpful in your considerations in managing your data.