The Building Blocks of Data Security

Ways to build a strong cybersecurity foundation in addressing evolving threats.

Steve Durbin
Jan 30, 2025
Encryption

Information is arguably the most valuable asset held by organizations today. Hence, they attract the attention of highly motivated, capable and well-funded threat actors. Moreover, the extensive footprint of these assets spread across various regions, systems, devices, and formats, provide ample opportunities for threat actors to breach and gain access.   

While business leaders recognize the value of these information assets, they often underestimate their vulnerability to threats and the potential consequences of being compromised. To protect information assets, organizations have to think beyond existing protection capabilities and adopt protection processes that are balanced and comprehensive. Some basic steps in getting started should include:

  • Identifying Critical Information Assets. Organizations need to identify vital information assets before these assets can be prioritized, subjected to a risk assessment and protected in line with their security requirements. The key steps in this process can include assessing and recording asset business value, applying a business impact rating, and creating a prioritized list of the most important assets. 
  • Understanding And Prioritizing Key Threats. Successful identification, profiling, and assessment of threats is dependent on an organization’s risk management capabilities. Key steps in this process include investigating the main threats to these assets, identifying the likely threat events that can be used to target these assets, and evaluating the level of exposure of each threat with each critical information asset.  
  • Determine The Necessary Protection Mechanisms. Once vital information assets and associated threats are identified, organizations will need to adopt security mechanisms, controls and approaches that provide relevant protection against these threats. Protection mechanisms can include investing in specialized enterprise security solutions, acquiring dedicated security products, or enabling certain built-in security features within existing technical infrastructure components.  
  • Leverage A Threat-based Protection Approach. Adopting a threat-based approach is about providing situational awareness of current and emerging threats at each stage of the cyber kill chain. It involves establishing an early warning system before an attack occurs, developing a combination of preventative and detective security measures during an attack, and efficiently managing security incidents associated with these information assets after an attack is detected. 
  • Secure The Information Lifecycle. Critical information assets must be protected at each stage of the information life cyclewhen they are created, processed, stored, transmitted and destroyed. Information owners and users that work with vital information assets can apply comprehensive protections, such as multi-factor authentication, biometrics, encryption, real-time monitoring and reporting, regular reviews of event logs, and other standard security best practices. 

Building A Robust Data Protection Process 

Embedding these  four elements can help broaden your data protection capabilities:

  1. Governance, Risk and Compliance: Governance, risk and compliance represent the disciplines and practices associated with how an organization governs information security, manages information risk, and addresses different compliance requirements. Adopting a GRC framework has the following benefits: 
    • A Structured Approach. GRC enables organizations to gather and analyze information, make informed data security decisions and manage a variety of ongoing data protection activities in a structured format.
    • Proactive Risk Management. Embedding risk management efforts into daily operations can anticipate potential security threats faster, fostering a more resilient data protection posture.
    • Compliance Adherence. GRC ensures ongoing adherence to regulatory requirements, enabling organizations to stay compliant and avoid potential penalties and reputational harm.  
  2. Technology: Safeguarding vital information assets will require significant use of technology to automate protection and complement existing security measures. This includes: 
    • Technologies such as encryption, zero trust network access (ZTNA), data loss prevention (DLP), secure deletion and file sanitization software.
    • Establishing a security operations center (SOC) to help monitor network activity, analyze potential threats and provide a coordinated response to security breaches. Leveraging AI technologies can also help in detecting anomalies in real-time.
    • Deploying backup and disaster recovery solutions enables organizations to quickly restore data in the event of a breach, corruption, or loss. This ensures business continuity and mitigates risks related to data availability. 
  3. Security Assurance: Several variables can affect critical information assets over time, including new business processes, changes in the threat landscape, technological developments like AI, modifications to legal or regulatory requirements, and corporate events like mergers and acquisitions. To manage these changes and evolving risks, security assurance activities become critical. Strategies that can help support these activities include: 
    • Regular security audits help identify weaknesses in systems, software, controls and processes, ensuring that security practices are up-to-date and aligned with the prevailing threat environment. 
    • Regular penetration testing, vulnerability scans and ongoing monitoring allow organizations to address potential vulnerabilities and plug security gaps before they can be exploited. 
    • Achieving compliance provides external validation that security controls are deployed according to industry best practices and meet adequate protection requirements.  

Information assets account for the bulk of an organization's value, but the risks associated with these assets are often undervalued, despite the ongoing occurrence of high-profile security breaches. Organizations must identify their critical information assets as soon as possible and invest in building a resilient data protection process. 

Steve Durbin is Chief Executive of the Information Security Forum, an independent association dedicated to investigating, clarifying, and resolving key issues in information security and risk management.

Latest in Cybersecurity
Today in Manufacturing Podcast
Sponsored
Today in Manufacturing Podcast
January 29, 2025
Cybersecurity In A Bubble
5 Questions to Identify and Mitigate Hidden Security Threats
January 30, 2025
Homeland Security Secretary Kristi Noem speaks to employees at the Department of Homeland Security, Tuesday, Jan. 28, 2025, in Washington.
Cyber Agency's Future in Elections Murky Under Trump Administration
January 30, 2025
Encryption
The Building Blocks of Data Security
January 30, 2025
Related Stories
Smishing Attack Fran Rodriguez
Cybersecurity
Threat Labs Research and Analysis Initiative Focused on Human-Targeted Attacks
Cybersecurity In A Bubble
Cybersecurity
5 Questions to Identify and Mitigate Hidden Security Threats
Homeland Security Secretary Kristi Noem speaks to employees at the Department of Homeland Security, Tuesday, Jan. 28, 2025, in Washington.
Cybersecurity
Cyber Agency's Future in Elections Murky Under Trump Administration
Today in Manufacturing Podcast
Sponsor Content
Today in Manufacturing Podcast
More in Cybersecurity
Today in Manufacturing Podcast
Sponsored
Today in Manufacturing Podcast
Today in Manufacturing has a new podcast brought to you by the editors of Industrial Media. In each episode, we discuss the five biggest stories in manufacturing, and the implications they have on the industry moving forward.
January 29, 2025
Cybersecurity In A Bubble
Cybersecurity
5 Questions to Identify and Mitigate Hidden Security Threats
'Cybersecurity threats don't discriminate by company size, industry, or geographic footprint.'
January 30, 2025
Homeland Security Secretary Kristi Noem speaks to employees at the Department of Homeland Security, Tuesday, Jan. 28, 2025, in Washington.
Cybersecurity
Cyber Agency's Future in Elections Murky Under Trump Administration
The new homeland security secretary, Kristi Noem, said that CISA had strayed 'far off mission.'
January 30, 2025
Cps (cyber Physical Systems) Concept Abstract Image 612622938 2124x1416
Cybersecurity
Cyber-Physical Systems Under Siege
Recent events have shifted perspective on responsibility and priority.
January 30, 2025
Ep128
Cybersecurity
Security Breach: The Legacy of AI in Cybersecurity
AI offers solutions to enduring problems, but keeping pace with hackers will be key.
January 30, 2025
Us Binary Flag Mirsad Sarajlic
Cybersecurity
Industry Responses to Biden's Outgoing Cybersecurity EO
The realities surrounding China and other threats to critical networks were laid plain.
January 23, 2025
Industrial Cyber
Cybersecurity
Platform Offers Secure OT Access Management
Xona targets secure access by preventing insecure user endpoints from connecting to critical assets.
January 23, 2025
Ransomware
Cybersecurity
Report Highlights Critical Need for Cyber Insurance
A rise in cyber insurance claims includes a surge in the average cost of a data breach.
January 23, 2025
Utility Metamorworks
Cybersecurity
The Realities of Critical Infrastructure Security
Most could already be compromised from software updates or back doors that have not been opened, yet.
January 16, 2025
Computer Crime Concept 516607038 2125x1416 (1)
Cybersecurity
2024 in Review: Cyber Threats and the Fight to Secure Critical Infrastructure
The threat actors and their strategies continue to evolve.
January 16, 2025
Intllectual Property
Cybersecurity
Encryption Becoming Essential for U.S. Manufacturers
Research found that manufacturers are aware of threats and have turned to encryption to fortify data.
January 16, 2025
American flags are displayed with Chinese flags on top of a trishaw on Sept. 16, 2018, in Beijing.
Cybersecurity
Biden Executive Order Aims to Shore Up U.S. Cyber Defenses
The order makes it easier to go after foreign adversaries or hacking groups.
January 16, 2025
Hacking Alarm
Cybersecurity
VPNs and Critical Infrastructure Risks
Cybercriminals are increasingly exploiting VPN vulnerabilities.
January 15, 2025
Cybersecurity In A Bubble
Cybersecurity
Ghosts of Systems Past: Future-Proofing Industrial Control Systems
Security strategies that see, protect and manage critical assets across the attack surface.
January 15, 2025
Ep127
Cybersecurity
Security Breach: Breaking Down the Latest ICS Hack
The continued evolution of the CyberAv3ngers hacking group and its IIoT-focused malware.
January 15, 2025