Any attempt to perfectly prescribe exactly what you need to build an effective data security role or team is a fool’s errand. There are simply too many variables you need to take into account - the size of the organization, the amount of data it has, the type of data that needs to be secured, the organization’s culture and risk appetite- all of these need to be weighed and balanced.
However, with that disclaimer and caveat in place, I do think there are some broad best practices that apply to almost every data security role, and those are the ones I want to focus on in this blog.
Know Your Inputs and Restrictions - and Document them
Every data security team has a certain set of ‘inputs’ and restrictions under whose framework they need to operate. These can be regulatory frameworks like GDPR and CCPA, but they also include agreements with customers and partners and the level of risk the company is willing to accept.
These inputs exist for every data security role. And the first thing you need to do when stepping into a data security position is to document these inputs and ensure that everyone’s on the same page. This isn’t the type of project that can be done by a single person or even a single team. Legal needs to be involved. Privacy needs to be involved. Security needs to be involved. The scope of this varies by company, but the main point is that there needs to be a governance arm telling you what the requirements and policies are before you can get to work enforcing anything.
It’s also important to remember that there are two different groups here. You have the leaders from the teams I mentioned. And then you have the engineers and executors that implement those policies. All the documentation in the world won’t help if there’s a communication breakdown between the deciders and the implementers.
Managing Risk, Managing People
Whether you’re an individual or a team responsible for data security, it’s important to keep in mind the big picture - your answer can’t always be ‘no’ when asked ‘can I do this with our data’. Understand that there’s a business reason behind the question - and find a way to help them achieve their goals without violating the risk and legal parameters you’ve already established.
The data security role also shouldn’t be responsible for actually going into the platforms to remediate issues. As far as possible, the actual remediation should be done by the teams that manage those platforms every day. If there’s 10 different data sources, the security team should be identifying those issues using data security tools. But they should also be - with minimal friction- dispatching the alerts, tasks, and remediation steps to the relevant teams. And the security team should be assisting these teams with developing, rolling out, and managing secure configurations so that, ideally, alerts and remediation tasks become less frequent over time.
Besides managing systems, there’s an enormous human component when it comes to data security success. (In general, I believe that most of our problems in security have a human dimension.) There are egos and authority on the line in discussions around data and how it should be used. The business side of the company may want to gather and retain as much data as possible. The privacy and legal teams may want as little as possible. Security leaders in general and particularly data security leaders will need to get along well with the heads of these various departments. They need to play the role of harmonizer between the competing demands and be able to get things done. This involves working with the peers of the CISO - head of legal, head of privacy, and making judgment calls in a space (data security) that historically hasn’t had that much authority. Of course, that’s all changing now as every country and region adopts new data security regulations.
Managing up, down, and across the company is the main data security skill. It’s what helps separate effective security leaders. Working well with engineers gets the data secured. Working well with legal, privacy, and compliance is the scaffolding that supports all of your effort. And like every security role, working well with the CISO is critical.
Data Security's a Great Career - Just Take Care Not to Burn Out
To wrap up, I’d say - there’s never been a better time to get into data security. The growth of regulations - and associated consequences for non compliance- means companies are investing in data security talent. For anyone looking to move from a general security or IT role into a data security role, a great first step is to improve your cloud and data skills. Understanding your company’s cloud environment, its different use cases, tools, and business objectives will give you the context you need to be successful in the role. It will help you understand the inputs and pressures on the different teams, and grow your perspective beyond just the technical part of the job.
The key to avoiding burnout is understanding the nature of the job. There’s always going to be a new tool, stakeholder, or regulation that you’re going to face. There’s no ‘finishing’ the work in any final sense. What you spent all month working on might be irrelevant overnight. That’s the game. And if it’s for you, I hope this blog helps in some small way think about what makes a successful data security professional.