I never considered myself a runner. I am your typical IT guy. I like hot wings, beer, and video games. Information security was something that I had an interest in at a young age, but running? No. That could possibly involve sweating. So why I am writing a blog about security and how it relates to running? Because both of them are something I NEED to do. I want to protect myself from the crippling effects of my often sedentary lifestyle. I work for a company that does a masterful job of protecting organizations from security related threats, so by proxy I am keeping people’s information safe, systems healthy, and data secure. I can tell you at a moment’s notice who has access to data, what they are doing with that access, how they got the access, and if they are being responsible. So how does this relate to running? Let me tell you about how I started running and how grinding miles on the trail got me thinking about how similar running is to security.I woke up one day and decided I wanted to run a 5k race. My wife is a runner and I watched her cross more finish lines then I can count. I went and bought some shoes, running clothes, and a water bottle. I then registered online for the race which was in a week. I even bought a running visor thinking about how cool others looked wearing one. Race day came and I was super excited. I lined up with the rest of the runners, heard the bang of the gun, and off I went. I made it less than 100 steps before my wings, beer, and video game diet came crashing down on me, and I realized something. I had never run a mile, let alone three miles in my entire life. I am sure you’re still wondering what this has to do with security. Everything.The thing I was missing and the thing most organizations are missing in their data access governance programs is preparation. Your data is much like my diet. You have years upon years of data. Some of the data may have proper permissions and owners assigned, but most of it probably looks like a diet of wings and beer. Now think about installing software to start managing that data and expecting it to solve all your problems in a week. Trust me, you will make it no more than 100 feet and fall over. The only way you will be successful is proper preparation, and here are a few steps to follow to get your data access governance weight loss program started right:
First, survey and analyze your data. You need to know what is out there and how much of it you have.
Second, focus on what really matters to your organization. I wanted to run fast, but then I realized it wasn’t speed that was important to me. It was finishing the race. Organizations who are successful with their data access governance programs start with sensitive data, open access, and privileged user access.
Third, get the right stakeholders involved. You need to have sponsorship from the business and people who want to have ownership of data. They also need to be comfortable with delegating access to others through self-service. You can’t be on Weight Watchers forever. Eventually you will need to figure out what you can eat on your own.
Finally, you will want to turn what you have learned into a repeatable process.
Let’s fast forward six years. I have three half marathons under my belt and have my sights set on a full marathon at the end of this year. I have taken what I learned from my first failure and created a training plan that mirrors the four steps of a successful data access governance program. I looked at where I was, what really mattered to me, sought stakeholder involvement from other runners to keep me motivated, and developed repeatable training that is constantly improving both my time and distance. Data access governance with proper preparation and planning is within your reach. Remember, set an achievable goal and start small. Tackle your most pressing issues first and take your lessons learned forward to achieve full data access governance.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Brad Bussie is an award winning fifteen year veteran of the information security industry. He holds an undergraduate degree in information systems security and an MBA in technology management. Brad possesses premier certifications from multiple vendors, including the CISSP from ISC2. He has a deep background architecting solutions for identity management, governance, recovery, migration, audit, and compliance. Brad has spoken at industry events around the globe and has helped commercial, federal, intelligence, and DoD customers solve complex security issues.