How To Choose The Best Data Protection Program

How To Choose The Best Data Protection Program For Your Company

After this recent rash of malicious hacks that compromised millions of people’s financial security and right to privacy, every organization should not only be on high alert, but they should be paying more attention to their current data security strategy; in many cases this includes shopping around for an upgrade. With a wide variety of options available, this article provides technology based solutions that companies can use to protect their sensitive data sets.


•  understand your data

•  know where your data lives

•  develop a realistic approach to securing your data

•  get data out of your environment

•  assess your controls regularly


•  think hope or cyber-security insurance are strategies

•  forget hardware with blinky lights only goes so far

•  assume compliance equals security

•  forget to educate your employees

•  forget securing your environment is an iterative process



Do understand your data

Understanding your data is a critical part of securing it. First you must ask, what types of data do you have? Is it sensitive or neutral? What regulatory compliance, or other obligations apply to your type(s) of data? What is the lifecycle of your data, and how are you disposing of it? How are you using your data, and is having that data “necessary” or just simply “nice to have” for each business unit? All of these questions, among others, should be thought about on an on-going basis if an organization is going to stand a chance at securing one of their most valuable resources.

Do know where your data lives

You also need to understand how sensitive data traverses your environment and where it is being stored. Customers sometimes think they understand where their data is supposed to be stored, however when the project officially “kicks-off” with stakeholders on the business side, this is not truly the case. You would be amazed the number of times someone says, “oh yeah, we have access to that data and it’s stored over here on sharepoint.” Or something similar.

Of course it would be a daunting task to know where every single piece of your data resides, so the rule is to use risk as a gauge of the importance of knowing. Understand where significant repositories of sensitive data reside, and secure those repositories. Sure there will always be customer comment fields in an organization’s customized application that may have a credit card number within, or a PDF of something like a claim with an individual’s social security number instead of their drivers license number, but these occasional scenarios don’t present measurable risk to your organization.

Do develop a realistic approach to securing your data

You do not have an open pocket book to spend on protecting your data, so developing a sensical and economical security program should be at the forefront of your mind when planning your strategy. This strategy we have already highlighted is based upon understanding your data and how it traverses your environment and which people, processes, and technologies you need to have in place to protect it. Like any project, putting in forethought will save resources that could be used for revenue generating functions. You can’t spend a million to protect a penny.

Do get data out of your environment

Let me ask you this, “What does your company do?” If your answer is anything but “securing sensitive data…”, then why are you still storing sensitive data in your own environment? Of course there will always be certain types of data you will never store outside of your environment such as trade secrets, etc., however there is no need keep things like large cohorts of payment card details under your own roof. Social Security Numbers and financial account information are two further examples of types of data you would be wise to move off-site. After proper due diligence is done you should offload this liability to someone who has the sole business of securing sensitive data for others.

Quite frequently, companies fold because of data breaches involving data that they didn’t need to be storing in the first place.

Do assess your controls regularly

Regular assessment of your controls to ensure they are functioning effectively is imperative. Simply putting them in place is not enough anymore. As we’ve seen, over time these controls become stale, and attackers learn they way around our controls. Assessing your perimeter and internal technical controls, assessing the controls around people and process, as well as assessing controls governing how your third-party vendors are protecting your data is something that should be done as regularly as possible. Spending a million to protect a penny would never make sense so you need to find that happy medium where your spend satisfies your organization's risk appetite - this is a hard goal to achieve.


Do not think hope or cyber-security insurance are strategies

Hoping that your security posture is in good shape is definitely not a good strategy. This can equate to executives seeing the Target breach and thinking, “We have a security team, and they’re asking for a bunch of money to protect our environment...we must be safe.” Having an well-followed information security policy and adequate procedures to secure and regularly test your environment is probably the best way to ensure, rather than hope, that your data is safe.

Do not forget hardware with blinky lights only goes so far

You must analyze your environment and realize that most data breach incidents can be avoided by understanding which data presents a risk to your organization. Then you should layer controls on top of that data to reduce the present risk to your organization.

Too frequently organizations are investing sizeable amounts of resources, both human and financial, into a hoped for “silver-bullet” of data protection and then continually fall flat on their faces again and again. Don’t replace a well-thought strategy with a blinky light on a box.

Do not assume compliance equals security

Another strategy seen with merchants and service providers alike is the stance that “all I need to do is be compliant and then my troubles go away.” As if to say that if they are compliant, there is a risk transfer from themselves somewhere else. Unfortunately, this isn’t the case.

By becoming compliant, the only thing you’ve done (assuming no findings) is one of two things: one, given yourself enough time to prepare for the next cycle of vulnerabilities, or two, fooled your assessor/auditor enough to get past your compliance obligation.

Hopefully professionals and organizations alike are moving towards the “what is next” mentality and designing an agile security framework to pivot based on the next breach. We are seeing new attacks every day - from internal to external - and across technologies. Simply becoming compliant is not going to stop the breach - and it’s certainly not going to remove the risk of heavy fines and breach response costs.

Do not forget to educate your employees

People and process are 2/3rds of your data security strategy. One of the best recommendations to any organization or person is, invest in your people and processes from a security standpoint. We’ve all heard there are three pieces to your security strategy - people, process, and technology. By simply investing in the technology component, you miss two-thirds of the bigger picture. People must be trained to use processes that promote a secure environment - and the secure utilization of technologies meant to drive businesses. Looking at the breach statistics furnished by the Ponemon Institute and IBM, most breaches can be avoided with minimal investment in your people and the time you spend educating them on the proper way to use computing assets in your environment.

Do not forget securing your environment is an iterative process

Like compliance, if you’ve audited and tested your environment once this year, then you’re about 1/4th the way done. Regular assessment and review of security metrics can tell you where your weaknesses lie, and, more importantly, where you need to focus your attention to remediate vulnerabilities and strengthen controls.


Get sensitive data which presents risk and creates compliance burden out of your environment, (period). Moreover, develop a well-thought strategy for securing the data you have in your environment, which should include people, process, and technology. Finally, get sensitive data out of your environment entirely and hand it off to someone who has assumed the full-time job of protecting what is perceived as presenting risk to your organization.

More expert advice about Information Technology

Please contact us at to learn more about Tokenizing your data environment, to lower PCI Compliance/Scope. Many of our customers are able to pay for our solution with the reduction in auditing expenses and other related costs. Don't be the next data breach casualty. Securing Data on A Global Scale. 

Topic(s): data security , tokenization

Keep Up With Our PCI & Privacy Blog