Incoming: Too Much Data Security Can Be as Bad as Too Little
In today’s world, the most valuable resource is information. The fastest-growing companies are data companies. Firms that can apply decision-quality information in time to affect critical business decisions are reaping the greatest success. Just as in warfare, the force that can bring intelligence to the battle edge in near real time will have a tremendous advantage in any engagement.
Accurate and relevant information, delivered at just the right time, greatly enhances the probability of a positive outcome in almost every aspect of life. We also know that not receiving critical intelligence in time to use it to our advantage has caused extreme loss of life in battle and countless loss of dollars in business. As a result, delivering information to the user in time to maximize its value is the prime mission. The mission, in most cases, is not security because securing the information at the expense of moving that information when and where it is needed is a failed mission.
Whether planning a combat mission or a business operation, you want to use minimal resources to accomplish the task. This is true when looking at dollars, time and especially people. It also is true when talking about securing information. Security needs to be at the minimal level to accomplish the mission. The applied level of security must be evaluated against the mission: How long will the data be valuable, and what are the capabilities of the threat to damage, intercept and exploit the data in time to affect the mission? For vast amounts of data, we do not need to protect it at the same level forever. Most data has a shelf life. Data is not wine—it does not get better with age.
I have heard discussions, both in business and in government, about securing data at all costs and applying the highest level of security possible. We do not seem to take the time to fully understand the risk of oversecuring the data versus the value of the mission. I recommend that business and government review the unclassified data they transmit to determine what they could send with minimal or no security protection, especially data with short windows of value. For example, why do we spend so much time securing data for calendar appointments or for emails sent outside of a secure network? Many systems are built to default to a higher level of security and restriction, and the easy answer is just to follow the default without regard to the cost in dollars and time.
All of us are constantly reviewing the cost of securing data and are dismayed by how fast these costs are rising. We spend time working on new technologies to secure the data better and labor tirelessly to reduce the costs of the technology. Although these efforts are important, we should look at the data itself and work to reduce the amount of data we secure and the length of time it is secured. Because we are creating new data at a rate greater than at any point in history, we need to start looking at the real value of the data and the direct costs of securing that data. Otherwise, the sheer volume could drive costs to unsustainable levels. We are spending more to secure the majority of our data than is required. This means we have less money to spend on the important data that really does need to be secured at a higher level.
It might be time to invest in technology that helps assess the value of data in relation to security costs or the costs if that data is lost. Is it time to look at intelligent systems that help answer the question about lost opportunity from delays in transmission or lost opportunity because the data security level was affecting speed of analysis? In simple terms, maybe we need some technology that helps us unsecure the right data.
Oversecuring data or applying security measures that the user believes negatively affect the mission—or that the user simply feels are too inconvenient to follow—also can have very detrimental effects. Many of us can think of security measures so burdensome that we took measures to get around them. The BlackBerry sled that government personnel had to use comes to mind, as does employing personal email to send official work, or talking around a topic to avoid applying stricter security measures. This behavior, though wrong, occurs often and most likely at a higher rate than we want to believe. And behaviors such as these lead to a whole different set of security problems.
As a young military officer, I was in a communication class, and the NCO teaching it made a point I have never forgotten: If the enemy can put accurate small-arms fire on your position, then the enemy knows where you are. At that moment, securing your communication to protect your location is not worth the delay in getting help or ammo. Securing the communications data is an obstacle to completing your mission successfully. There are many applications where the spirit of that wisdom could be better applied today.
There is no question that we need to secure some data at a very high level and for a long time, but this is just not true for most data. It is also valid that we need more resources to better defend the cyber environment, but we must better understand data’s value in terms of our time, delivery speed and threat capability compared with the window of value and cost of compromise. This analysis needs to be a bigger part of the security equation than it currently is. As always, counter battery fire is welcome, and I look forward to questions or comments.
Terry Halvorsen, the CIO and an executive vice president with Samsung Electronics, is the former U.S. Defense Department CIO. He also has served as the Department of the Navy CIO.