A CEO's Guide to Big Data Security

Steve Durbin helps CEOs make sense of the Big Data challenge
Steve Durbin helps CEOs make sense of the Big Data challenge
The layered effect of security
The layered effect of security

The promise of actionable insight from data isn’t new – business intelligence and other analysis capabilities have long been used by many organizations. What has changed is the rate at which data is growing, the way the data is changing and the demands being placed upon it by businesses of all sizes. This is leaving CEOs with the unenviable task of handling potential security risks associated with ‘Big Data’.

Anticipation of demand, development of products, discovery of new threat vulnerabilities, fraud detection – these are some of the uses for Big Data analytics that can deliver increasingly effective security and business advantages.

Whether opening the door to innovations, revealing new insights into consumer behavior, centralizing control of processes, or creating controversial battles over who owns it, Big Data has caused a radical shift in how business gets done. Here we survey the Big Data landscape, examine why it is such a topical business issue and define some of the ways that senior executives can engage with Big Data opportunities – today.

When Does Data Become Big Data?

Before we dive in any further, let’s first define Big Data. Data becomes Big Data when it can be efficiently collected, sorted, crunched, stored and accessed in a way that moves enterprises (and society) forward. Data is considered Big Data when any one or more of the following characteristics are true:

  • Data volumes are massive, growing rapidly, or both
  • Data is complex (less structured) and therefore difficult for computers to interpret
  • Data sources are diverse (possibly including sources from outside the organization)

In short, Big Data refers to performing increasingly sophisticated analysis on massive amounts of data that is predominantly unstructured.

Much data now available to organizations is generated through public online networks that generate it from everyday activities, such as social media posts. Alternatively, the data is taken from non-traditional feeds like CCTV, the RFID tags on shopping carts, or the GPS data transmitted by smart devices. These are considered ‘unstructured’ data because they are not batch oriented and cannot be easily categorized to fit in an existing data set. However, this data is highly sought after because it often produces the most valuable insights and can be extremely useful in understanding anomalous customer behavior or finding quick solutions to pressing business problems.

Research suggests companies that use Big Data analytics to guide decision-making have higher operating efficiencies and returns on equity than their competitors. Nevertheless, as businesses collect and store all of this data, they must contemplate what will be done with it and how it can be used both securely and legitimately.

Basement to Boardroom

The security risks have become even greater for businesses with the explosion of Big Data. It has been the cause of distress for some: primary concerns are how much data is being collected, with whom the data is being shared, and how it is being used. There is a fundamental need for better engagement throughout organizations – from the CEO’s office to the IT department – that requires adoption of clear guidelines and best practices for the use, storage and transfer of data.

C-level executives are now faced with extremely large amounts of data from a variety of sources. Not only must companies reckon with exponential internal data growth, but also external information from sources such as the cloud, social media, regulators, email, and IM, which are now creating another category of Big Data that provides the filling in the external/internal data sandwich. Additionally there is now relentless technology innovation that presents a new set of challenges.

Not only is there an explosion in the ability of technology to process data, there are also multiple platforms producing, accessing and storing it. This can be viewed as both a burden and an opportunity. While the three V’s of data (Volume, Velocity and Variety) are increasing, what’s decreasing is organizational control and the ability to deploy security solutions around this data. Executives tasked with managing company data must find a delicate balance between everyday data management tasks and effectively leveraging the information through analysis.

Embrace Big Data Now

Pressure is already mounting for businesses to embrace Big Data, which is proving its business value. The US healthcare market has the potential to reap $300bn of value per year (0.7% productivity growth) from Big Data. McKinsey further estimates that retailers could see operating margins increase by 60% as a result of the trend and the global market opportunities for personal geolocational data, which the analyst firm data valued at $100–700bn in a May 2011 report.

When discussing the significance of Big Data, CEOs must tailor the importance of the business value so that it is appropriate for the correct audience. For example, executives and boards want to balance the risks and rewards of operating in cyberspace by ensuring that their investment in information security and cybersecurity is appropriate to manage and mitigate risks. Other audiences might be more concerned with details about how Big Data analytics can provide other insights, such as improving the effectiveness of controls, lowering the cost of a specific information security exercise, decreasing the probability or impact of an incident…and so on. 

Data aggregation and Big Data analytics promise businesses a treasure trove of marketing intelligence, but few have realized the potential benefits for improving information security posture.

Big Data can be very effective for threat management, including both external and internal threats. From the information security standpoint, the key security issues surrounding Big Data have so far fallen into five areas: cybersecurity; data in the cloud; consumerization; interconnected supply chains; and privacy.

According to the ISF’s Cyber Security Strategies report from January 2012, cybercriminals are better organized, more professional in their approach, and have access to powerful tools and capabilities, all advantages they employ to identify, target and attack. When things go wrong, they can go wrong big time for an organization. Cyber resilience and preparedness strategies are crucial for Big Data implementations.

The pressure for businesses to quickly adopt cloud-based services – often to support Big Data’s challenging storage and processing needs – comes with unforeseen risks and unintended consequences. Big Data in the cloud is a highly attractive target for harvesting, and it places more demand on businesses to get their secure cloud sourcing strategy right.

Hand in hand with the growth of Big Data is the proliferation of new mobile devices. The volume of smartphone analytics and web browsing details are the stuff of security nightmares, particularly when these are blended with both personal and work data. Organizations must ensure that employee policies are in place and continue to manage mobile devices in line with their established security policy.

Organizations are part of often complex, global and interdependent supply chains, which can be their weakest link. Information is what binds supply chains together, ranging from simple, mundane data, to trade secrets and intellectual property. There is a key role for information security departments in coordinating contracts for, and provisioning of, the entire business supply chain.

As larger amounts of data are generated, stored and analyzed, privacy concerns will become an even bigger issue. Start planning for new data protection requirements as soon as possible, while monitoring for further legislative and regulatory developments.

According to John Linkous, security research fellow at elQnetworks, a provider of security and compliance solutions, solving the Big Data problem often means something different for information security than it does for traditional business analytics. In many cases, Big Data solutions are not designed to be real-time. For security analytics, speed is critical because the faster an organization can discover a security incident, the more quickly it can respond – and that can mean the difference between a fast recovery, and a prolonged, public acknowledgement of a data breach.

“Unfortunately, that single outlier can be the critical piece of information that points to a major data breach or other critical security event”, Linkous says. “Unlike other areas of the business where a lack of real-time analysis doesn’t represent a major issue, in the information security world, the lack of real-time analysis of Big Data sets can make a massive difference to both data security and system availability.”

Big Data Issues

Processing and storing private information in the cloud means organizations won’t always know where their data resides, yet they still need to comply with privacy laws and be able to demonstrate this compliance. Businesses eager to adopt these new technologies should understand the legal restrictions that may apply across multiple jurisdictions. These problems are confounded by traditional information protection methods, which may be difficult to apply or ineffective in the cloud.

“Big Data is a powerful new tool but it is subject to the same legal, regulatory and policy considerations as existing technology”, advises Andy Roth, former chief privacy officer at American Express and now a partner in the law firm SNR Denton. He goes on to add: “Data has the power to transform businesses and is rapidly emerging as an extremely valuable core asset. Companies should organize themselves to leverage data responsibly and accelerate valuable and relevant new products and services to market.”

There may be a general lack of understanding in some sectors about how Big Data works and the value it can provide. This knowledge gap can be the source of risk. “But this risk can be effectively mitigated by following best practices”, Roth adds.

Meanwhile, laws and regulations about the collection, storage and use of data are still being formed, so now is the time for businesses to implement privacy best practices, designing them into the analytics programs to establish transparency and accountability.

Cloud 2013 and Beyond

The year 2013 is already shaping up to be one when regulation comes to the fore, not just in the US, but also in Europe and across into Asia. We have recently seen President Obama sign an executive order on cybersecurity, while the EU formulates its cybersecurity strategy with particular emphasis on data security and breach notification. The government in Singapore has made amendments to the country’s computer misuse laws that will compel businesses to take action to prevent cyber attacks in certain circumstances. This increase in regulation clearly will have an impact on business in general, but also Big Data cloud-based collection, storage and use.

Here are six tips for managing your data in the cloud for 2013 and beyond:

  1. Become educated on the issues associated with storing and processing private information in the cloud
  2. Get clear advice about which privacy rules apply in the cloud, and specifically how they are affected by cross-border movement of data and the multi-tiered nature of cloud providers
  3. Conduct a high-level examination of the legal requirements of different jurisdictions
  4. Identify the internal roles and responsibilities that can apply to the use of private information
  5. Define an approach for managing private data in the cloud
  6. Have a strategy to respond to regulators and data subjects

We have not yet seen the full extent of external requirements mandating businesses to assure the integrity of Big Data’s associated information. Regardless, the sheer scale of information processed by businesses remains on the uptick, and with Big Data analytics bringing decisions closer and closer to raw data, the quality of that information has become increasingly important.

Despite its potential to reduce cybersecurity risks and increase resilience, Big Data analytics are not yet mature within the field of information security. This will only happen when the same sophisticated analysis that is currently being implemented across other departments is applied to relevant security data. But the time is coming, and coming fast.

Steve Durbin is global vice president of the Information Security Forum, a non-profit member organization that provides opinion and guidance on all aspects of information security. Durbin’s considerable experience in the technology and telecoms markets includes a role as senior VP at Gartner, where he was global head its consultancy business.

What’s hot on Infosecurity Magazine?