In capital markets, information is as much a currency as money is. Yet this fact is not reflected in how we protect sensitive data or IT-enabled conversations. Why is this?
In the capital markets, the most obvious factor is that the profit motive dominates all activities. Because of this, some decisions and sharing of sensitive data are made despite the risks. Secondly, in capital markets the IT sphere is complex. It is difficult to design “right”, it is difficult to implement “right”, and it is harder yet to keep things secure. The difficulty starts with underlying technologies and it extends up through user-facing solutions. Even when you get all that right inside your business, you still have to interact with others outside your business. And then it is just convenient and expedient to assume that the information you share with them will be protected. As we know, digital information is not like paper documents.
"By combining encryption with access controls, we can wrap sensitive data at the moment we create it and protect it through its life cycle"
In the digital world, when you share content you effectively surrender control over it
You still have the original file, but you now also have identical copies of that file in locations that are outside your control. And, any copy of your file is likely to be duplicated due to backup regimes. But other programs can also make copies—for instance, when you email a file to a single individual you multiply from that one original file to a minimum of four new copies! (One in your email client, one on your email server, one on your recipient’s email client and one on their server and all that before these are backed up. Data is at risk to any compromise on any system in which any copy is stored.
When you process, store or share “sensitive information“ you need to trust every computer, every network connection and every person from the point that the information leaves your care and for as long as it or any copies exist
There have been several efforts in the financial community to address the question of whether you can trust another party in terms of their security practices and the controls they enforce. For example, “Shared Assessments” has real traction in this. But going beyond establishing metrics to trusting other parties is more difficult.
Getting to the protection of information, it is important to understand that while there are regulations around much capital markets data, the IT world is still fairly naive about the nature of the relationship of data to owners, custodians, stewards, consumers, or subscribers. We still do not have a matchup between technology controls and the right grammar to properly describe roles and responsibilities in a manner that is clear to the CEO, database administrator, to the invested third party, or the person whose information is at stake.
Regulations require that some sensitive data be protected, and then there is information that if exposed would lead to financial or reputational damage. In both cases, systems and persons interact with the data in some role or capacity. Inside an organization, data governance is either forgotten or comes in various stages of immaturity. Too often we falsely depend on the permeable perimeter that enterprises feel safe within. Firewalls, VPNs and security within the IT sphere of an organization are only as good as the proverbial weakest link—for instance your compromised BYOD or corporate laptop. The firewall has minimal value since we demand access to so many services. It is regular sport for hackers to subvert these services so now the firewall is more like a screen door.
In most cases, governance ignores that the information sphere is really a multidimensional spectrum where different information demands different rules around its protection and control. Recognizing that not all your information needs to be protected or even backed up is an important starting point toward effective information security. The sheer volume of information that is used or created by any organization makes for an unnecessarily bigger problem when you do not have a clear understanding what needs protection and control.
To start, you can undertake a modest effort to define your enterprise’s requirements for what kinds of information are sensitive or demand access controls. Not everything needs equal treatment in terms of the security triad which is: Confidentiality, Integrity and Availability. Security is expensive, and the expense propagates more and more if you apply equal security to everything. For instance, cryptography is computationally expensive—why encrypt everything if you do not need to do so? But it is not only expense, it is the false sense of security you have if you just lump everything behind the enterprise and require people to badge into physical spaces and authenticate into virtual ones to do their work. Remember, Snowden worked for an especially paranoid organization and in a very secure facility, yet he was able to abscond with the equivalent crown jewels. If you have crown jewels, don’t let the admin clean them without supervision.
What you really want is real control over your data. You own it, you want to control it. Sharing information inside the organization or on an ad hoc basis shouldn’t require the IT department to go into food or sleep deprivation. What we want are low friction solutions and that require no substantive changes to our IT infrastructure.
What we really want is protection and control of our data
What does that look like? Lets start by saying that encryption alone is not the answer. But if we combine encryption with access controls, we can wrap sensitive data at the moment we create it and protect it through its life cycle. The goal is that we want to be able to control access to the data even after we share it. These technologies exist today, solutions using these technologies are available and you may recognize that this sounds like Digital Rights Management.