EY - Maximizing the value of a data protection program

Maximizing the value of a data protection program

  • Share

The rising costs and increased media coverage of data breaches and the continued escalation of threats facing organizations has led to information security, particularly data protection, being discussed at the highest level.
Boards and audit committees are expecting their information security functions to proactively report on the capabilities, maturity and effectiveness of their data protection activities.

We have worked globally with clients to help implement data protection programs, and we have consulted with many organizations after data protection technology implementations to help them realize better value from their investments. Common mistakes that organizations make include:

  • Viewing data protection as a technology problem and not involving the business
  • Protecting all information with the same controls
  • Not engaging users in data classification and data protection processes
  • Investing in specific capabilities while ignoring other immediate risks
  • Focusing disproportionately on prevention controls and not investing enough in detection and response capabilities
  • Not customizing processes and technology for their environment
  • Forgetting about maintaining technology and processes after the initial setup.

EY’s data protection control model

EY - data protection control model

Our full report shares insights and lessons learned from our experiences and helps organizations maximize their technology investments by following four key steps:

  • Building a data protection program that is aligned to the business
    Technology implementations often fail to deliver their promised benefits because organizations do not configure the tools to protect the information within the organization that is truly valuable. With limited resources to configure and manage tools, organizations must ensure that time spent monitoring the movement of information in and out of their environment is focused on the information that matters most.
  • Implementing an effective program structure
    Organizations must create a data classification framework that enables users to identify, label and protect sensitive data. Involving users in data classification, asking the right questions to the right people, and establishing roles and responsibilities are all critical steps in creating a sustainable program.
  • Spending time, energy and money protecting the data that matters most
    It is expensive to deploy the most advanced technologies and the most mature processes in every business area. Understanding the external threats that face the organization, identifying potential motivations for malicious insider activities, listening to feedback from the business, and benchmarking against peers can help to prioritize investments.
  • Changing the business culture and measuring performance to achieve sustainability
    If your data protection program doesn’t change to continue to focus on the data that matters most, the value provided by the investments in technology, people and processes will decline over time. Providing metrics to the business, addressing broken business processes and providing regular training help users and data owners to stay engaged.
Taking data protection for granted is a recipe for disaster.

Without input, sponsorship and direction from the business, information security professionals cannot strategically align controls and monitoring capabilities to the data that matters most. Additionally, unless end users actively participate in identifying and labeling sensitive information, data protection program investments may yield little practical value.

Key questions

  • Are you confident your intellectual property, trade secrets, proprietary information and customer data are protected from insiders?
  • Are your regulatory and compliance obligations for data protection and privacy being met?
  • Does your Information Security function understand what data is most valuable to the business? (Have you told them?)
  • Is your data classification policy more than just a piece of paper? Has it been implemented and embedded into your culture?
  • Have your investments in data protection people, processes and technology demonstrated tangible value for your business?
  • Do you know what success looks like? (Do you know if your program is working?)

If you have answered one of these questions with “no,” it is time for you to take action. Contact us today.