Published on the 29/03/2023 | Written by Heather Wright
And what CISOs need to do about it…
Conventional wisdom may be that data is the new oil, or gold, but Leigh McMullen, has a different view – and one he wants Australian and New Zealand CISOs and security professionals to consider seriously.
McMullen, Gartner distinguished vice president, analyst and Fellow in the CISO, security and risk management team, says data is, in fact, ‘the industrial pollution of the digital era’, toxic on multiple levels and something companies need to start thinking about ‘a bit differently’.
Speaking at the APAC Gartner Security and Risk Management Summit 2023 in Sydney this week, McMullen says while organisations horde data, often under the auspices of data monetisation or customer intimacy, it’s time to question whether the value of the data collected by making customers give you personally identifiable information (PII) just to use the toaster oven they bought, is worth the massive increase in risks the hoarding behaviours cause.
“When engage in strategic forgetting, we actually make the data we retain more valuable.”
“Data is toxic waste. It does create greenhouse gasses and other toxic waste. Endless retention of data actually plagues us, it makes the data less valuable,” he says.
He admits the idea came from ‘the mad scientists of cybersecurity cohort’ – it’s not conventional research but from the CISO edge research stream – but is adamant companies must start building much better, and much stronger, cyber judgement when it comes to the data they choose to collect and how they treat it.
And he’s also advocating for strategic forgetting of data and even, potentially, a ‘drop chain’ – a publicly auditable blockchain with a ‘forgetting’ layer.
McMullen argues that even companies that are ‘really, really good at monetising data, are not very good at it’, citing the example of Amazon constantly showing ads for a product you’ve already bought. That’s something that might be amusing on some levels, but which McMullen notes has serious implications in increasing buyers remorse – and returns, which cost companies real money.
Data collection can also add hurdles to the customer experience and, critically, exposes companies to greater threats, he says.
“In the same way we manage attack surfaces these days, we need to be thinking about managing target areas,” McMullen says.
“I’d like us to just start thinking about what our target areas are in our enterprise – what is actually valuable, what would actually create problems if it got out?”
First up, he says, is to distinguish risks from threats.
“There are a galaxy of vulnerabilities and risks out there, and gazillions of different ways data could be exfiltrated from your enterprise. But there’s still just pretty much one threat outcome from data exfiltration – fines,” he says, arguing that brand is not as important as many think in business.
“We all saw Target got hacked. We were all shopping there the next day.”
As to the concern about competitors getting your data, McMullen notes wryly “I hope they have better luck with our MDM issues than we have.”
“We need to get real with business people about what the threats actually are.
“Start talking about things from the outside in. We can overwhelm them with the sea of vulnerabilities or just keep things very simple and just talk about threat outcomes.”
Threat outcomes, he notes, are manageable.
“So what if the data gets exfiltrated – if it’s encrypted and no one can use it, you have mitigated the threat outcome. So what if it gets exfiltrated it if doesn’t contain any PII or target data, it doesn’t really matter.
“We need to adopt a very pragmatic mindset towards these things and assets.”
His data classification strategy – and one that comes couched in hyperbole warning – is to just focus on privileged data which would cause fines or material financial or legal harm if released.
But, he notes, the easiest way to reduce the target area is simply not to collect privileged data in the first place.
“Wherever practical, wherever possible just avoid doing it.
“If you collect privileged data online, it will be accessible online. Period.
“I know you know that, but you need to get your businesspeople and their brains wrapped around it because they still think the data is free. They think you can capture it in an online mechanism and somehow move it into this safe space. And we know that is not true.
“If we create those bridges, if we collect it online it is going to be available online and there is almost nothing in the world you can do to stop that. So maybe don’t do it in the first place.”
He’s also advocating for companies to consider how they are creating richer targets and increasing the target area, through processes such as verification processes. McMullen cited an insurance company calling a client and then requiring the client to provide PII for verification.
“No. You called me!
“This isn’t a complicated problem because these companies know me. There are a number of ways we can get around this verification process – we could have a challenge and response, a code, they could tell me something they know about me and I could verify whether it is true. There are ways we can do this without having to exchange information that can be weaponised against me.”
If data is gold, McMullen says there need to be different controls the total cost of ownership of storing it and owning it needs to be included in its overall profile and picture.
“We’re going to have to secure it and own it very, very differently, and we may need to change its lifecycle.”
And that’s where he argues for strategic forgetting – particularly in light of the AI and large language models – and dropchains, a ‘kind of wild idea we’re still playing with’, which would allow allow users to tell companies that they want them to forget something, all on a publicly auditable blockchain.
“AI is a bias amplifier.
“Your brain automatically unloads biases so we can learn new things and don’t get bound up in our biases. Data is an absolute bias amplifier and as we go deeper into AI, as we begin to do more LLM, we need to get even better at really helping business understand what data we need to keep, what we should keep as far as historical data and what we should be using for training models and how we want to update those training models.
“This is all part of not just data classification and governance and security but really, honestly helping to create great cyber judgement, which is more than just cyber security threats from hackers. It also includes ethics and just good business decisions around the use of data and information particularly when using information or data driven algorithms like AI.
“When we manage our data well, and engage in strategic forgetting, we actually make the data we retain more valuable. Because we have retained it, we have groomed it, we know where it fits into our plans and we have got that information synthesised,” he says.
So, if you think data is gold, make sure you think about it like gold, McMullen says.
“What makes money more valuable? Liquidity. The more money changes hands in a market is how you increase the value of money. So if we’re going to treat data as something that has actual currency like gold, we need to store it like gold, the business needs to protect it and pay for it like it’s gold and we need to ensure that it is actually fluid, that we are actually transacting with it, increasing its value by narrowing its scope and allowing more organisations, or allowing us to play with it differently so we can increase its liquidity.”