Vince Berk is the Chief Strategist at Quantum Xchange, a post-quantum crypto-agility provider. Ph.D. in AI/ML, founder of FlowTraq.
getty
Data is at the heart of any organization. If you’re a policymaker, your data is policy. If you’re a librarian, your data is your book collection. If you’re working in a warehouse, your data is your inventory. And if you’re a computer programmer, your data is your code.
In everything we do, we organize information, and the digital transformation revolution has made information organization significantly easier. But in this data, there is a lot of power, and its integrity and confidentiality are vital to any organization.
In the old days, we had filing cabinets with documents and folders with paper. Before the written word, tribal knowledge was passed on carefully from person to person. Now, information can be stored in massive quantities in databases, file servers and the cloud. This has allowed us to collect information at a much higher detail than before.
For example, we can now track the movement of any vehicle and store it in perpetuity, the weather at any location on earth minute by minute, the hours you’ve worked and emails you’ve sent—all this data can be stored forever. And because storing information is so easy and cheap, we don’t really have a reason to clean up. It’s a bit like having a big attic.
The Attic Exposure Problem
Attics are brilliant—the Christmas decorations, seasonal gear, clothes that may be passed on to younger siblings at some point and tools only occasionally used. The bigger the attic, the more you can store and the less impetus exists to clean up.
Now imagine this attic had a bit of an exposure problem. The longer you stored things there, the more likely it was that your neighbors and everybody else could take a look at your stuff. If this sounds odd, it's exactly what is happening with our data as we continue to digitally transform our organizations. And it is easy to see why.
Let’s say an application is adopted for inventory control. This application requires a database that is installed by a systems integrator on the factory floor, and the systems perform admirably for a decade. No more cards in filing cabinets as it is all right there on the computer. However, the software becomes dated, the factory floor processes evolve and efficiency can be gained by tracking more details. So a new system is proposed, this time in the cloud.
The old data from the existing system can even be migrated, and once more a qualified systems integrator helps make this digital transformation dream a reality. With the new system up and running and the more modern inventory system now in place, the factory can run more efficiently and at higher margins. There’s just one problem—nobody decommissioned the original application.
Ensuring Effective Protocols For Data
As people within the organization move on or retire, there's a lack of clarity regarding the functions of older systems. Despite this, there's no authorization to deactivate them. This situation extends to various areas such as the HR department's employee records, legal documents stored on file servers, customer data in databases, and even sensitive source code and security keys.
Although these data repositories are often replicated to the cloud for cost-effectiveness or efficiency, they remain operational due to dependencies on outdated legacy systems. What's more, they often lack the robust security measures initially implemented when migrated to newer systems. Over time, this neglect leads to data leakage or "spillage," which can result in serious consequences:
•Customer data could end up for sale on the dark web
•Competitors might learn your tricks and techniques or your weaknesses and vulnerabilities, gaining the ability to outflank you in the market
•Encrypted data could be stolen and stockpiled, waiting for the day a quantum computer can break the encryption.
I find the information revolution to be reminiscent of the early days of nuclear radiation. Just as Madame Curie acknowledged the potency of radiation without fully grasping its harmful effects on her health, we initially embraced the vast potential of the information age without fully comprehending its negative impacts. However, as time has passed, we've gained insight into these consequences.
Much like there are stringent protocols now in place for handling radioactive materials, I believe the same must happen with data. An observant CISO or chief risk officer should take immediate steps to answer the following questions:
1. Who is responsible for keeping an inventory of data such as access control protections?
2. What happens to data when people leave or systems are migrated?
3. What process is used for the adoption of new software or services to evaluate what data is collected and stored there?
4. What is the process for decommissioning software or services?
5. What are the policies governing data backup and retention?
When those five questions are answered and evaluated and policies are put in place to manage them, the next step is to search for the things that have already slipped through the cracks.
For the technology executive who sees their sprawling data empire rapidly expand without restraint, it's important to take action. Dedicating an individual who truly owns this problem and getting answers to these five questions is the first logical step. And that is only the beginning. These are not just policies but processes that must become engrained in the organization, which is a journey that takes years.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
