The group started the discussion by agreeing that there is no “one case fits all” for protecting data. Every company is different, the budget is different, the technology is different, the location and movement of data is different. As a result, the group decided to focus on what general practices would work best on a general basis across various companies.
Remaining as close to the data as possible is also one of the first major steps in securing information. Once teams determine where the data is coming from and where it is going, they should generate methods that allow them to keep their controls very close to the data for as long as possible. Keeping a record or catalogue of “use cases” concerning how certain technology is used or what strategies are used can be helpful not only internally but, if published, externally among other security teams. The group also agreed that tying everything to a potential revenue loss in every situation when it is possible is extremely important. Showing the business that protecting data is closely tied to monetary losses resonates strongly within the business and helps boost the importance of security.
Finally, the group focused on readiness—are teams prepared to handle whatever challenges may come their way? Teams need a response plan, a playbook for potential issues that they can utilize when issues arise. For instance, ransomware has become a real challenge to security recently, and teams need to have game plans for handling a potential aggressive ransomware breach. What will teams do if something happens? How will they stop it? Who will they get involved? Asking these questions can help a team in any industry generate strategies and standards that will protect their data.