Part V: It’s Time to Rethink Your Risk Mitigation Strategy - Governance and Compliance

Posted 06/28/2019 by Doug Chando

This is the fifth blog in a five-part series on risk mitigation and how Commvault can help. Access the fourth blog.

Warren Buffet once said, “Risk comes from not knowing what you are doing.” 

Flipping that statement around a little, but following the same logic: “Risk is reduced by knowing what you are doing.”

That comment is especially true when talking about how you are managing your data. I would even take it a step further: risk comes from not intimately knowing what types of information and data you are protecting and managing, which may lead to managing it in a way that is not aligned to its value.

Data is a tremendously valuable resource, and not just because it has value to you. No, it has great value to others as well! This fact has not gone unnoticed by some people with malicious intent. Outside of the ransomware events that we see on a near daily basis, there are also regular data breaches that occur with great frequency. 

In some cases, data or information is stolen by cyber criminals who are looking to take it and sell it to others. One example of a particularly disturbing trend is the increased targeting and demand for personal data relating to younger individuals, teenage and younger. In a recent interview with ZDNet, Emily Wilson, VP of research at Terbium labs, said: "Child data by design is fresh, in most cases, it's not going to have been exploited before… especially for very young children." 

Suffice it to say that everyone is a fair game, and the “law of innocents” does not apply to data.

As a steward of data, you have a responsibility to ensure it is managed appropriately. That could mean keeping it safe from all types of threats, but it also includes properly disposing of it when it’s no longer required. And this applies to any data that you are managing, regardless of where it physically resides (on-premises, in the cloud, off-site location, etc.). This is especially true when managing data that contains such things as sensitive or personally identifiable information (PII). In fact, data privacy is such a concern that there are increasingly more government regulations to ensure the proper handling and care of user data. The consequences for not being responsible stewards are varied, but usually include steep financial penalties, not to mention reputational and business impact.

To complicate matters, as the world continually becomes more connected, cross-regulatory compliance is quickly becoming the norm. As an example, privacy laws are already being enforced in the following countries:

Brazil - Lei Geral de Proteçao de Dados (LGPD)

Australia – Privacy Amendment to Australia’s Privacy Act

U.S. – California Consumer Privacy Act (CCPA)

Japan - Act on Protection of Personal Information

South Korea – Personal Information Protection Act

Considering the evolving regulatory landscape, it’s becoming - and will increasingly become - more important to have a more intimate knowledge of your data. With added insights into your data and how you are using it, you can appropriately manage it in a way that is more aligned with the value of the data, as well as to better meet the compliance mandates you must abide by, regardless of how stringent. For example, you might be required to handle any data containing sensitive or personally identifiable information differently than other data. Conversely, not having this level of insight into your data, you could be commingling data types in a standard protection strategy, which could inadvertently leave you and your organization exposed if a breach were to occur. Unfortunately, many organizations fall into the latter category.

However, there is a better way to manage both your data protection needs as well as your governance and compliance needs in a way that can greatly minimize the associated risks. In fact, when other vendors were simply talking about backup and recovery, we at Commvault were talking about complete “data management” and “doing more with your data.”  We’ll be the first to admit that any data management strategy must contain reliable data protection, but why not turn that potentially untapped resource into an operational and strategic asset? 

I encourage people I talk with to perform an assessment of their current data protection solution by asking themselves:

Can we as an organization…

  • map personal data to understand where it lives, how it is used, and who has access to it?
  • manage and control the location of and access to sensitive data, such as IP or personal data?
  • remediate and respond (delete, move, restrict access), or orchestrate a review and approval process, for identified data?
  • identify improper usage of sensitive data and/or detection and disposition of data spillage?
  • effectively respond to data subject requests and breach notifications as required by data privacy regulations?
  • identify systems that require data protection?

If you answered “no” to any of these questions, then it’s probably a good time to rethink your risk mitigation and data management strategy. The good news is, you are exactly where you need to be to learn how to solve all the problems mentioned above. With Commvault you can gain greater, deeper insights into your data, regardless of where it lives, or the data type. With these insights you can action-ably control and mitigate your risk by identifying, deleting, quarantining, or perhaps even preserving data selectively and when necessary. Because your data is constantly changing, you can manage these tasks in an automated fashion through intuitive policy-based controls; we refer to this as “smart data management.”   

I’d love to say this is all good news. Unfortunately, it isn’t. The risks to your data are increasing daily, and as Warren Buffet said, the longer you wait to “know what you are doing,” the greater the potential risk. So I encourage you to learn more about how Commvault is helping its customers solve the most challenging data management problems and subsequently mitigating their risk.

Doug Chando is an industry veteran with more than 20 years experience in IT, most of them within data protection and data management. Working in various positions over those years from technical support to leading a pre-sales engineering team, he now focuses his efforts and experience on leading Commvault’s product marketing team.