There are few things that niche industries love more than developing their own lingo. Those of us old enough to remember the tech boom of the late-90s/early 2000s probably also remember hearing that everything was a “paradigm-shift.” Eventually, this phrase morphed into everything being a “gamechanger.” Today, business people love to talk about whether X “moves the needle” and it wasn’t so long ago that before elaborating on any topic, we would first announce that we are going to “add some color” to the issue. My suspicion has always been that this is a form of code-switching, designed to let the listener know that the speaker is with the “in” crowd. It comes from a place of insecurity, worst-case, or conformity, best-case. And look, I’m guilty of it too, which is why there is so much to unpack here (see what I just did?).
The cybersecurity world is no different, and in a lot of ways, worse, when it comes to having its own language. You would think that the best way to communicate already very complex ideas would be to simplify the language so that everyone could understand it. But, its pretty clear that a lot of people don’t want the language to be simple. They want it to be confusing, so they appear knowledgeable.
One of my goals with this blog is to break down intimidating cybersecurity concepts into plain language. Today’s lesson? The Data Map. Guess what. It’s a spreadsheet. Let’s take a look at what a data map looks like, which, hopefully will make more clear why they are important.
The data map really is the roadmap to your work in managing your cyber risk and the rosetta stone to responding to incidents involving your data. It is the product of all of the preparation and planning work you put in ahead of time, so that when an incident does occur (sorry, but chances are, it will eventually), you will have a game plan (a map, if you will) or how to proceed. That said, it is not, itself, the incident response plan (that is a different thing, which I will eventually cover in the future).
The Data Maps that I typically use includes the following fields, give or take:
- Data Description
- Lawful Reason
- Justification Inquiry
- Who Has Access
- Who is Responsible
- What Laws Implicated
- Compliance Notes
There you have it. The secret sauce. I’m not worried though, because you are still going to want a professional who can help guide you through this process.
Unfortunately, its not the fields that make your map useful, its the data that you put in it. One of the things that a good data map will do, is expand a team’s thinking about what data actually is. And one way this is accomplished is by categorizing your data. Is this data a record of contact information? login information? social security numbers? client info or employee info?
The more you start to think about how to describe and categorize your data, the more areas of your business will reveal themselves as important sources of data. For instance, you may start to realize that much of this data is located in your email server. Some of it is on employee devices, company laptops, usb’s on your desk, CDs in the file cabinet, etc., etc.
Ultimately, a lot of questions in your data map are about the process you undergo in answering them. Fact is, the actual answers are always changing. But it is the exercise of thinking about risk, and thinking about where data resides, and who has access to it, that is pivotal to what a data map does for your team. It also creates jumping off points for further inquiry.
So, how does this help us when a breach has occurred?
Glad you asked. Here is a thought experiment. Say you have a situation where you are contacted and told that three of your customers have reported recent suspicious activity on their credit cards. Visa thinks you are the source of a data breach. Step one is to investigate and stop the bleeding, right? Where do you begin?
If you’ve done a good job of working through these issues ahead of time, you can review your data map and clearly see 1) areas where this data is stored; 2) key personnel who are responsible for this data that you will want to call on to address the situation; 3) further information about the scope of the data you are storing; and 4) areas of concern where a breach in one place could signify other, as yet undiscovered, breaches on the system (particularly where you have multiple machines or are using SaaS vendors. The possibilities are endless in terms of creating shortcuts for incident responses.
In addition, you would use your data map to take proactive steps to secure this data. You identify weaknesses, areas that can be improved, people to bring into various efforts, etc. etc.,
By completing this work ahead of time, you are getting a head start at a time when a few minutes can literally cost you millions of dollars. Is that important enough for you?
So, now that you know what a data map is, and why they are important, what are you going to do to ensure you can leverage their usefulness?