There's an assumption there that we have a good understanding of where the data lives, and how much of it there actually is. When I think of assessing the risks, first, I have to understand the reality of how much data is there within the company. My experience is that the data usage of a company is independent of the number of employees.

An important part of data risk assessment is you need to find the value of each data type. It’s a challenging task for almost every company, and different data might hold different values based on the industry. When you own the operational risk for a company, you end up owning the business risk with every single business function from finance, accounting, operations, marketing, engineering. Data from all those functions have different values. If I were to recommend what to do for data risk assessment, it would be to establish that value. This further comes down to classification of the data. As a CISO, I need full understanding of the value of data, to help me compare the different datasets and invest my limited resources accordingly.

Part of the challenge is that oftentimes something is thought of as a technology problem when it is clearly a business problem. Since it's a business problem, how do you translate it to the business leaders such that they buy into it. Like Richard was saying, how do you get the different verticals to support you? You have to understand what’s the business model, what’s important to the business that’s going to impact the bottom line. We need to identify operational risks, strategic risks - the aspects that are going to harm the bottom line and any kind of profitability. Once you get that message across, then you start to evaluate what data is important.

I really believe in using technology to find what data is out there. A lot of people don't deploy true data classification mechanisms. When Arpit and I talked, what really sparked me is that Gamma has the capability of finding and automatically classifying all data based on the classifications that are most important to me. Once you are done with the classification, only then you can start to take that data, compartmentalize it and put the right security controls around it.

Understand what your business is about, find out where that critical information is, and then put the right controls around it. I try to link everything to dollars and cents. If the likelihood is high, and impact is dramatic, then we need to focus on that - it’s as simple as that. Based on the impact and likelihood metrics, you can figure out the ROI of that risk e.g. if scenario X happens, $500,000 of a bottom-line impact, but it's only going to cost us $100,000 to deploy something to help resolve this issue - it then becomes a simple conversation.

Agree with Derek that this is a business problem - each company essentially has to go through some sort of risk assessment irrespective of whether they are residing on-premise, or using cloud services. From the perspective of customers who try to move toward cloud services from on-premise, they have to rethink the whole security paradigm. When they were on-premise, they had full control over their data and infrastructure, the controls that they had established right from the physical layer up to the application layer. They could literally control everything. But when you move to the cloud, you need to understand the separation of duties (often referred to as a shared responsibility model) between the cloud provider and the customer very well. For example, within SaaS environments, the cloud provider would control more of the stack than in an IaaS environment.

From the risk assessment perspective, the primary motive of any customer should be to make sure that the cloud provider has done their part - they have implemented the required controls within the stack they control. Secondly, customers need to figure out where in the stack they should take responsibility for implementing controls. They must ensure whether those controls are available in the stack or not. A service provider may or may not provide those controls as part of their architecture. Customers must take responsibility for making themselves aware of the available controls and use them to mitigate risks appropriately.

Another concept that I've seen just time and again is that cloud data risk assessment is an ongoing activity over the course of a company's evolution. As Derek was saying, you're also constantly just reconciling the required controls against the business bottom line. For a profit company, cash is king. If I have one revenue stream that’s 75% of my company's revenue, most of my efforts are going to have a better ROI there. But, you also need to adapt to scenarios when a new upcoming product line becomes as important. There are going to be a lot of moving parts as you progress and it’s going to be an ongoing exercise.

That's where I see a lot of potential in the crazy cloud world that is moving at the speed of light. In a way, you are always chasing in your journey to assess and mitigate risks.

The challenge that I have seen in Frame.IO and in other startups as well is that, as the business grows, you onboard a lot of vendors. As a company, we collect very limited PII because a lot of the functionality concerning PII is outsourced to vendors. Vendor risk becomes a key concern in the whole process. Now, you can perform all kinds of risk assessments on the vendors, but at the end of the day, it comes down to the trust you have in the vendor that they are taking all required security measures that you wanted to take in your company. That vendor might be using other vendors for the business as well. This basically makes it a never-ending chain, and you just don’t know how deep down in the chain the leak could happen, or what exposures do we have. That is a very challenging problem to solve.

In any audit and compliance process, there is cascading at play involving what you do, proving that you are doing it, and finally proving that you are monitoring that it is continuously happening. For example, in GDPR, if a user requests to delete their data, how do you generate the proof that you have actually deleted their data? When you are using a third party, it becomes even more challenging, for instance to fulfil a data deletion request, we need to request external vendors as well to delete data at their end. It has to be baked into the contract, it has to be baked into the assessment process that vendors have these processes in place to delete certain customer data. Again, the challenge also becomes whether you can verify that the customer data was deleted on their end or not. At the end of the day, the challenge is that I have to rely on just trusting external parties that they did what they have been asked to do.

One of the very first things I did in BriteCore was to make sure that we had an incident response plan. From a remediation standpoint, it is a business-critical item to make sure the plan is understood and people know how to operate it.

From a behavioral standpoint, if you tell someone, they have to brush their teeth three times a day, they are less likely to do it compared to “I'm just going to brush your teeth for you three times a day.” That mentality has worked both for us and other cloud-native solutions. It is important to find areas/tools where you can get the most ROI from a policy perspective. There's a lot of really interesting and strategic ways to do it. e.g. MDM - taking the onus of device management, antivirus protection, and endpoint detection out of the hands of the end-user, or getting an identity platform like Okta or Microsoft directory where a specific team is working to take the control out of employees’ hands.

For governance, accountability is very important, and so is having the business owners and the data owners opt into the provided frameworks. When I think of governance, I immediately think of RACI (Responsibility assignment matrix). In this framework, if CISO is accountable for governance, then who is responsible for it? The business part of the organization owns the majority of risk. If the risk is owned by the business, and if we have proper data owners established, then the CISO or the Compliance Officer should be governing and providing the framework/tools.

To add on top of what Richard said, you first need to provide the relevant tools/services, and then get a buy-in from everybody. Once you have the buy in, you assign data owners - you make them accountable for the data. To get governance going, it is important to tie the reports/metrics with some type of financial incentives e.g. performance bonuses. At the end of the day, it boils down to dollars and cents.

If Gamma.AI is doing what it claims to do, Gamma can solve the entire problem for me. The only thing I have to provide it is the data owners. Then Gamma can provide me the location and the classification of all my data while I could easily transfer data ownership to the respective stakeholders. Gradually, I’ll have full accountability of where my data lives, what its classification is, and whether the owners are taking responsibility for keeping it safe. So in short, Gamma could be my magic wand if it works the way you describe it.

Due to the COVID pandemic, customers have been shifting towards cloud from on-premise environments. They have struggled because their earlier controls were oriented specifically towards on-premise environments, e.g. they used to depend on firewall boundaries to control data leakage. But now, there is an important need to understand & classify data and then being able to apply policies to that data. Secondly, due to the WFH shift, endpoints used by a user could be anywhere in the world which is a new challenge for organizations who have mostly relied on traditional on-premise controls to secure endpoints. Today, endpoint controls have become more important than ever. For me, having these endpoint controls, and the ability to classify & recognize data are the two important use cases I would solve if I had a magic wand.

Due to the shift to cloud and the sudden shift to WFH, they are two important limitations that are surfacing:

1. Supply chain issues are increasingly becoming bottlenecks across the globe - for instance,. there are engineering firms that have had to shut down their whole operation because they couldn’t procure laptops.

2. Organizations relying on on-premise security controls to secure their endpoint devices can no longer do that and need to find ways to achieve their goals in this new WFH era.

There is a need for having compute environments that enforce required control policies, have the necessary DLP controls, can easily be monitored, and can be connected via any endpoint - and that is the use case I would solve if I were granted a magic wish.

As startups, you need to be agile and can’t strictly lock employees down when it comes to MDM. Balancing support, usability, and security from the end user perspective is important and always a big challenge. From the SaaS product perspective, the biggest problem is getting transparency into how your vendors are handling data. What kind of data is each vendor storing? Can you keep track of information cascading from one vendor to another? How do you build visibility into nested dependencies rather than just on the surface? This is extremely important to understand the liabilities and risks associated with sensitive data assets. If given a magic ward, I would solve this use case.

After you have already classified/determined sensitive data assets, the ability to identify pertinent data on each device on a real-time basis, and then being able to enforce relevant policies would be astounding. Irrespective of the device being used, an AI powered engine that could parse the data on each device, identify & classify relevant sensitive assets, and then enforce policies like locking the data down, or not allowing it to leave the device would be ideal and something that I’d like to solve for.