Building a culture that favors protecting data can be challenging. In fact, most of us who love our data spend a huge amount of time standing up for our data when it seems everyone else wants to take the easiest route to getting stuff done. I can hear the pleas from here:
- We don't have time to deal with SQL injection now. We will get to that later.
- If we add encryption to this data, our queries will run longer. It will make the database larger, which will also affect performance. We can do that later if we get the performance issues fixed.
- I don't want to keep typing our these long, complex passwords. They are painful.
- Multi-factor authentication means I have to keep my phone near me. Plus, it's a pain.
- Security is the job of the security team. They are a painful bunch of people.
…and so on. What my team members don't seem to understand is that these pain points are supposed to be painful. The locks on my house doors are painful. The keys to my car are painful. The PIN on my credit card is painful. All of these are set up, intentionally, as obstacles to access -- not my access, but unauthorized access. What is it about team members who lock their doors, shred sensitive documents, and keep their collector action figures under glass that don't want to protect the data we steward on behalf of customers? In my experience, these people don't want to protect data because they are measured, compensated, and punished in ways that take away almost all the incentives to do so. Developers and programmers are measured on the speed of delivery. DBAs are measured on uptime and performance. SysAdmins are measured on provisioning resources. And rarely have these roles been measured and rewarded for security and privacy compliance.
To Reward, We Must Measure
How do we fix this? We start rewarding people for data protection activities. To reward people, we need to measure their deliverables.
- An enterprise-wide security policy and framework that includes specific measures at the data category level
- Encryption design, starting with the data models
- Data categorization and modeling
- Test design that includes security and privacy testing
- Proactive recognition of security requirements and techniques
- Data profiling testing that discovers unprotected or under-protected data
- Data security monitoring and alerting
- Issue management and reporting
As for the rewards, they need to focus on the early introduction of data protection features and service. This includes reviewing designs and user stories for security requirements.
Then we get to the hard part: I'm of a thought that specific rewards for doing what was expected of me are over the top. But I recognize that this isn't always the best way to motivate positive actions. Besides, as I will get into later in this series, the organizational punishments for not protecting data may be so large that a company will not be able to afford the lack of data protection culture we currently have. Plus, we don't want to have to use a prison time measurement to encourage data protection.
In this series, I'll be discussing data protection actions, why they are important, and how we can be better at data. Until then, I'll love to hear about what, if any, data protection reward (or punishment) systems your organization has in place today.