It was another late-December morning a few days after Christmas and the weather was unseasonably cold where I live in New Jersey, in the northeast of the US. My daughters were a few days into their winter break and already getting into the routine of “waking-up-late-cereal-watching Netflix”. In my email box that morning I had a message from the principal of my oldest daughter’s school. The purpose of the principal’s message was betrayed by the already too-familiar subject line “xxx Middle School – Families COVID notification for 12-27-21”. See below:
At this point 22 months into the pandemic I’m already very used to swiping this email left and not giving it another thought. But it was a holiday break and kids were not attending school. The message was followed by two additional notes of a similar nature over the next few days, it suddenly got me asking: What was the point of it all?
What is the point of sending these generic notifications if no real information can be disclosed due to compliance? What am I as a parent supposed to do to keep my children and my family safe? Does every new email notice induce more fear or have we perhaps become numb and indifferent? For me personally, it’s the latter.
And just like that, it made me think of other forms of compliance (and frankly other parts of regulatory “busywork”) we in cybersecurity need to deal with, particularly when it comes to handling sensitive information. Creating the long automated repetitive reports that no one reads. Reports that contain the same generic data. The same stuff, just on a different day. Rinse and repeat, as it were. All the millions of alerts and notifications that maybe at some point were developed with good intentions but haven’t truly been critically evaluated – do we really need them still? Are they serving a purpose? Are we maximizing the value and is there a better way to do this?
To be clear, compliance with regulations is not optional, and those mandates have to be followed. But we mustn’t allow it to be the end goal. In the case of my school example with the postponement, additional data points on where the exposure was to whom may have been exposed, or simply limiting the delivery of the message to such individuals would have a lot more impact; offering “actionable information” to the people who should have it while still staying compliant with privacy and other regulations. For data security practitioners, we need to switch-off the “check box approach” and simply follow compliance in its narrowest interpretation. We need to rethink our investment of time, money and effort and in parallel invest in technology that will actually help us detect abuse, risky activities and misuse. Most importantly, we need to evaluate the tools and solutions based on how much actionable information they provide us to keep our customer’s data safe. Let us help you explore technologies that can prevent the next breach, and not just keep a record of it happening.
Try Imperva for Free
Protect your business for 30 days on Imperva.