As we look back on 2016, we are once again faced with a plethora of data breaches which resulted in the exposure of hundreds of millions of records across this nation, I admit I am left wondering whether or not our data truly has value anymore.
Don't get me wrong: I still wholeheartedly believe and support the need for organizations to take a more proactive and holistic approach to protecting our data. This includes (but is not limited to) things such as focusing beyond compliance; proactive threat intelligence; skilled resources; and a proactive defensive posture which focuses on all portions of the cyber kill chain. But let's pause for just a second:
How many companies have gone out of business because of a data breach?
How many organizations have seen an unrecoverable loss in valuation after a data breach?
How many folks reading this have stopped utilizing services and/or associations because of a data breach?
See what I mean? As upsetting as data breaches have been, at a macro level we have collectively devalued the importance of data confidentiality to a point where its loss creates a smaller and smaller ripple in the world and in our lives -- and does not drive behavior change.
There are scores of theories as to why this might be the case; I will leave that discussion to the behaviorists and social scientists. For the security professional, though, it is worth understanding this paradigm around data. While discussing data breach and its components with the business leadership may have some value, utilizing a loss of confidentiality to help energize a security program may not get you the traction you are hoping for - even if the breach occurs at a competing organization. We are better served by focusing on how our programs and efforts maintain the integrity of the data as well as its availability to our customers and our internal organizations. If you are beating the data breach drum as a mechanism to garner support for your programs, do not be surprised if you keep coming up short.
My two cents...