Despite best efforts, effective data management and security practices remain an ominous hurdle for many organizations. As the sheer volume with which data is generated on a daily basis continues to grow exponentially, ensuring proper protection and handling of that information becomes a proportionally difficult challenge. Demand for comprehensive and secure information management solutions are driving growth in the global market. In accordance with this demand, IHS Markit forecasts that data security requirements will grow at a CAGR of 30% over five years due to increased calls for a worldwide consensus on information management standards.
The absence of comprehensive, collectively adopted, and universally enforced data protection and security policies has had a substantial impact on the international community. While there are many organizations that have worked to introduce information security standards, they are far from unanimously accepted and ubiquitously deployed around the globe. For instance, the US National Institute of Standards and Technology (NIST) has established a wide range of Special Publications (SP) on a variety of information security related issues. One specific example is NIST SP 800-53, which was designed to provide detailed guidelines for the development of protected, resilient, and secure information systems for the United States federal government.
Additionally, there are several international associations that have been created to provide an overall framework for secure data management and handling practices. The Information Systems Audit and Control Association (ISACA) and the International Information System Security Certification Consortium (ISC)2 are two of the most well-known and established organizations in this field. Both of these institutions offer comprehensive training and certification programs in information management and data security.
However, the presence of data security institutions, certifications, and policy guidelines does not guarantee the universal adoption of the information management practices they promote. Many countries and organizations alike have only recently begun to respond to these issues. This is primarily due to the very vocal reactions of the public to their data being handled improperly, or outright misused. Unfortunately, this mishandling of personal data is often committed by the very organizations and institutions entrusted to protect it. Several well-established social media platforms, private corporations, and long-standing government institutions, have come under fire for their negligence in handling the data of their respective users and citizens.
One of last year’s most prominent examples took place when Facebook CEO Mark Zuckerberg stood before US lawmakers for two congressional hearings surrounding the data management practices of the social media service. Much of the hearing was focused on Facebook’s dealings with Cambridge Analytica, a political consultancy firm that had collected detailed data on over 87 million Facebook users without their consent. While this specific instance monopolized much of the discussion, Zuckerberg conceded that “malicious actors” had nefariously utilized Facebook’s own search tools in order to collect personal data on nearly all of its 2 billion worldwide users. Unfortunately, while similar data security breaches are occurring with greater regularity, they don’t share the same scale and visibility as Facebook.
For many organizations the lack of adherence to a specific set of standards and guidelines for data management and protection has often resulted in an inefficient patchwork of solutions that require constant monitoring and adjustment. Cybersecurity solutions have traditionally been designed to address a specific threat. Therefore, when many organizations encounter a security problem, they have customarily bought a hardware/software solution designed to address that singular issue. However, as security issues have evolved and become more numerous, so too have the respective solutions. This revolving issue/solution ecosystem demands that companies begin to recognize the trees actually are the forest.
An example of this patchwork approach, is if an organization needs to monitor network traffic, they can purchase a firewall. Although, firewalls aren’t traditionally equipped to counter malware threats such as viruses and rootkits. Anti-malware solutions don’t protect against Distributed Denial of Service (DDoS) attacks. DDoS protection solutions aren’t designed to address the risks of data loss or destruction, etc. etc. etc. Over time, the adoption of these products begins to introduce new complications, as these services struggle to effectively compliment and communicate with one another.
As a result of these developments, many governments are being forced to establish their own cybersecurity and data protection policies. The European Union’s General Data Protection Regulation (GDPR) saw the first real implementation of large scale data protection legislation across an entire continental government. Even individual states like California are looking to institute their own data privacy legislation, known as the California Consumer Privacy Act (CCPA), scheduled for a rollout in 2020. While these solutions look to address the needs of their respective citizens, the specific protections outlined in these respective policies do not provide equal levels of protection.
For example, several countries of the Association of Southeast Asian Nations (ASEAN) intergovernmental organization have implemented data security policies that don’t provide the same level of protection as the GDPR. Some ASEAN countries may choose to only engage in higher levels of protection during data transfers with European Union member nations. For example, Japan recently adopted an “adequacy decision” to address compliance concerns. With this decision, Japan resolved to mirror the GDPR requirements for its respective EU communications. This showcases the fact that many countries will ultimately end up developing data protection policies in an effort to prevent substantial losses from a disruption in international business continuity.
However, like the problem with patchwork cybersecurity solutions, the development of individual or regional nation-state data governance regulation is likely to introduce further complexity to the international community. Companies and countries alike have begun to call for a global consensus on data security and governance standards. Furthermore, there are already examples of mature and universally accepted guidelines for data management currently in practice, such as the Payment Card Industry Data Security Standard (PCI DSS).
The PCI DSS standard, implemented by the Payment Card Industry Security Standards Council, was created to ensure organizations protect cardholder data, while working to reduce credit card fraud. The worldwide popularity and adoption of these payment methods has created fertile ground for the implementation of universally applicable security regulations surrounding their use. As a result, compliance with these strict standards is a mandated requirement for all vendors who wish to accept these cards as payment. Considering the growing demand for enhanced data security practices from the private and public sectors alike, it’s easy to foresee a global data governance policy being implemented in the next few years.