Today, most organisations operate hybrid environments where security is managed centrally yet a certain degree of autonomy is granted to internal departments or business units to be able to function efficiently as long as they are operating within the organisation’s information security policy framework while meeting regulatory requirements applicable to their industry sector as well as cyber security standards that are applicable globally.
It is not uncommon that a department or a business unit is unable to meet the complex set of compliance requirements which would put the whole organisation at risk of financial penalties imposed by regulators as well as loss of earning and reputational damage that could also be detrimental to the standing of partnering organisations in that industry sector.
While one organisation may be able to manage their collective internal risks effectively, others may not. Exposure to identified risks and the effectiveness of the controls that are implemented to mitigate them, and in some cases the non-existence of such controls, are confidential matters where partnering organisations may not be aware of each others risk postures, therefore it is a common practice to seek assurances and request evidence of compliance among organisations that operate independently yet are dependent on each other’s data processing practices.
As new regulations are introduced, EU’s GDPR being the most recent one, each organisation implements their own set of controls at their own pace, at varying levels of effectiveness, based on its own risk appetite. Sharing of data among organisations creates multiple data custody chains where the effectiveness of their collective controls is as strong as the weakest link in any of these chains.
As data is typically shared in blocks of varying significance of value and security, depending on the technology and the business processes shared between any two or more organisations, a common communication platform is implemented for the sharing of data. SWIFT is one of the better known platforms for interbank money transfers which was proven to be vulnerable yet it is still in existence as the risk is shared by the participants.
To be GDPR compliant, an organisation must implement additional controls to securely manage the state and movement of data blocks and provide an end-to-end audit trail of its chain of custody. These processes are further complicated by the fact that some of the data may not be owned by the organisation itself, in other words they are either processing the data on behalf of another organisation or as part of a service they provide to their clients or they are just the custodian and probably a combination of the above in the case of a large conglomerate.
Organisations with their traditionally centralised information security controls are facing major challenges and an uphill struggle in their efforts to operate in a decentralised data driven world while the threat level to their centralised information assets is on the increase. Automation is the buzzword used in such organisations but that, on its own, will fail unless there is a common protocol where diverse automated processes are enabled to communicate securely where the chain of custody is part of that shared protocol.
While data management is not a new discipline, the rapid increase in data volumes, the decentralisation of data sources and changes to the ownership model, as mandated by regulators, to a very fine granular level are making the discipline very challenging to follow, let alone enforce.