Oh Great Database – Wherever and Whatever is My Data?
So Sharon posts some on the imperva blog. A nice blog was about data loss at companies that do database monitoring. http://blog.imperva.com/2008/12/protecting-the-database-less-i.html
It does not surprise me that people who monitor more lose less. They know more about where their data is, and how is it being used. And they assume less. So their time is better spent, focusing on “what is” vs. “Hmmm… perhaps they are doing this and maybe they are doing that“. It is somewhat a statement of the obvious.
So we are back to what most practitioners of security know (or should know): That governance is key. In order to do security right, you must KNOW what the crown jewels are, where are they, what are employees doing with these jewels, etc. At that point you can secure, you can prevent, you can assess risk, you can make decisions based on factual data (not imagined ones).
Pamela Fusco continually drives this point forward. In her presentations (and example of which can be found at http://www.securedenmark.com/2007-Presentations/Fusco%20Denmark%20final.ppt) she typically reflect on a multi year strategy for the correct way to build a security practice. She actually recommends starting higher than governance – she starts with the business drivers (you can’t have governance without understanding the business). She is dead on!
Governance can exist without security (it is merely a decision based on acceptable level of risk). But security without governance? No chance.