Five Questions That Can Help Secure Big Data

By Richard Chew

There may be disputes as to when the term “big data” was first used: Some date it back to 2000, while others claim 2012 was the breakout year. Regardless of the year, there’s no denying that big data is currently one of the hottest topics in business and IT.

There’s a very good reason for that: The amount of information enterprises amass from customers, partners, employees, the public, social media and sensors embedded in devices is growing by the minute. All of this knowledge brings power, which creates both strength and vulnerability because of the great risk this data represents if it were to get into the wrong hands.

In the wake of the retail data breaches, it is debatable whether enterprises are ready to handle and manage big data. In ISACA’s 2013 global survey of IT professionals, only 4 percent felt they were “extremely prepared” and 22 percent said they were “somewhat prepared” to provide effective governance and manage privacy related to big data. In addition, only 32 percent had a policy in place for managing it.

The ramifications of big data are not just applicable to IT professionals; they’re relevant to every business professional who uses the Internet, regardless of industry, location or company size. From retailers to airlines to credit card companies to hotels, companies are collecting large volumes of data from customers, including sensitive information such as Social Security numbers, bank account numbers and even password hints.

This wealth of information leads to great risk, as the scale and complexity of the 2013 Target and Neiman Marcus breaches proved.

Keeping big data secure has become increasingly challenging, in part because of the:

• growing complexity of the IT environment;

• massive growth of transactional data volumes;

• increasing volume of new data types from social media and mobile devices;

• use of insecure Java-based frameworks;

• insider and external threats; and

• advanced persistent threats (APTs).

The onus is on the enterprise to protect its data. If it does not, the financial and reputational consequences can be devastating. But what is the best way to ensure security, management and governance in an environment where the broader impact of big data is not yet fully understood?

Taking the First Step

Like most challenges, the first step is to assess strengths and weaknesses. Security should be viewed holistically as part of a larger discussion. When it comes to a company’s plan to improve big data governance, that process should begin by asking the right questions, such as these five:

1. Can we trust our sources of big data?

2. What type of information are we collecting, and are we exposing the enterprise to legal and regulatory challenges?

3. How do we protect our sources, our processes, and our decisions from theft and corruption? How can we improve on this?

4. What policies and processes do we have in place to ensure that employees keep stakeholder information confidential during and after employment?

5. Which of our actions might create trends that can be exploited by our rivals?

Asking the right questions is a good first step; what to do with the answers is a more important next step. Ensuring effective governance, risk management and implementation of big data projects means having the right processes and policies in place first, and then ensuring they are used and updated appropriately.

Many enterprises today are using COBIT (control objectives for information and related technology), a customizable framework for IT governance and management developed by global subject matter experts affiliated with ISACA. By using COBIT, enterprises can more easily identify sensitive data, ensure that the data is protected, demonstrate compliance with applicable laws and regulations, proactively monitor the data, and react and respond faster to data or privacy breaches.

As the dependency on data to drive decision making increases, the issue of inaccurate, incomplete or fraudulently manipulated data also poses a major risk. When assessing risks associated with big data, enterprises must consider where they are in the life cycle of working with that information (i.e., are they in the planning, designing, building/acquiring or using/operating stage?) and then take appropriate measures.

It can be tempting to skip these steps in a rush to serve up big data solutions. As someone who has been a CIO more than once in my career, I understand this. There is always a tendency to keep the board and senior management happy.

However, the smart move would be to take the interest in big data expressed by the board and senior management and channel it in a structured manner that complies with global governance practices.

The personal information that is extracted from big data has been called the new oil of the 21st century. And, just like actual crude oil, these vast stockpiles of information are vulnerable to being stolen or compromised. It takes a team of business, security and IT professionals working together to keep the pirates at bay.

About the author:

Richard Chew, CISA, CISM, CGEIT, is senior information security analyst at Emerald Management Group and a member of ISACA’s Project Development Team for “Privacy & Big Data: An ISACA White Paper.”