In Defense of Cyber Offense

By Mark Cassetta, Senior Vice President of Strategy, Titus

In recent years, cyber defense technologies have evolved quickly to help businesses protect their networks, restrict access and prevent data loss. And the market has certainly seen a lot of positive strides. But what if we thought about it differently? What if you begin to leverage all the principles you’ve used in our defensive data security strategies to help your business take a more proactive, offensive approach? Essentially, what if we thought about a cyber offense instead of a cyber defense?

Some data security tools and technologies can actually provide better visibility into your day-to-day business and help you uncover the value of all that data you’ve been protecting. In fact, taking a more offensive approach can ultimately lead businesses down a path toward greater efficiency, new ideas, and growth.

Take machine learning, for example

Organizations have embraced the use of machine learning and artificial intelligence (AI) in data analytics and data management for many years now to great effect. Why not also apply these technologies in our approach to data security to extract similar business value?

Many data protection tools, used defensively, help you identify and catalog the information in your network systems to better understand the different sensitivity levels of that data. Machine learning and metadata applied during this process helps take this understanding to a deeper level by building context around data, enabling organizations to set more customized security policies for information handling.

These information handling practices generally still fall in the realm of cyber defense — you are reacting to protect your data against cybercrime. However, data protection technologies that make use of metadata enable you to tag data with various details and assign categories to help extract the real value of data. Knowing the deeper context around your data allows you to pivot into a more offensive mode, applying data protection strategies and tools to propel the business forward.

As your data protection technologies reveal the broader context of data, that context offers data security professionals a new way of speaking with the executive leaders in your organization. Inoffensive mode, they can show how valuable your data can be for business purposes, as well as determining what data is critical (and should have most stringent protection) and what data is fine for public consumption (and does not need advanced protection).

Infonomics: Measuring, monetizing and managing data

We’ve all heard “data is the new oil” for quite some time now, but how can we quantify the value of this new commodity? If we can categorize our data using metadata and begin to understand the context around it, its value will begin to emerge.

Is this a confidential document that was tagged by someone in R&D? Is it a confidential document that was tagged by someone in finance? And is that financial information a balance sheet or a cash flow statement?

Let’s say you can identify 10,000 documents in your system containing R&D data. If you know the context around those 10,000 R&D documents, you can begin to understand how long it takes a project to get out the door. So how much is each of those documents worth? What is the financial risk to the business if they are lost or stolen?

Some files and documents contain personally identifiable information (PII) or personal health information (PHI). The financial risks related to this type of data have more to do with noncompliance fines, possible monetary liability to customers and employees, and the costs of overcoming damage to brand reputation. Other documents contain data that could spur business innovation and growth, and the financial risk can be calculated according to potential revenue opportunities.

Through metadata tags on other types of files, emails, and documents, you can learn more about your customers or about your sales cycles. For example, if your business has a good quarter, you can look back to find how many times the word “quote” or “RFP” appeared in emails and documents over the past three months and begin to predict the next quarter’s outcomes.

According to Gartner research, by 2022, 90% of corporate strategies will explicitly mention information as a critical enterprise asset. Currently, however, Gartner says, “… most information and business leaders lack the information and tools to monetize information … because the value of the information itself is still largely unrecognized, even as the value of other intangibles, such as copyrights, trademarks, and patents, is measured and reported.”¹

Monetizing information is part of the larger trend toward “infonomics,” a term coined by Gartner to describe the discipline of attributing economic significance to information, despite the limitations of current accounting standards.¹ According to Gartner, Infonomics also identifies “the tangible and intangible costs of managing, storing, analyzing and protecting data.”²

Businesses that measure the value of their data can make more intelligent investments in data-related initiatives. By monetizing data, organizations can create supplementary revenue streams, introduce a new line of business, gain efficiencies in daily business practices and more.

An offensive data protection strategy that proactively extracts value from protected data puts IT in a new advisory position with executive leadership. The conversations shift dramatically. Instead of simply, “We have a lot of sensitive data, and we need to protect it,” IT can go to the business leaders and say, “Hey we have about a billion dollars worth of data, and we should be leveraging that if we aren’t already doing so.”

We can’t do it alone

Extracting value is not something humans can do on their own with a high degree of accuracy, and when it comes to data security, accuracy is king, regardless of whether you’re taking a defensive or an offensive approach. If you’re going to provide a deep level of context around your data to secure it properly or to help determine its value, you’ve got to be accurate.

By training and retraining machine learning algorithms to recognize custom data categories, the accuracy, and depth of context around information expand exponentially. Over time, users will become accustomed to tagging data with ever more specific details to explain its context, which will only increase its value further. It’s the perfect example of humans and technologies working intelligently together.

Not only can your information handling behaviors become more specific to your business, protecting your data at the appropriate levels and meeting security compliance requirements, but you can begin to understand data as a real business asset with the profound potential to take your business to the next level of efficiency and success.

1 Laney, Douglas; Duncan, Alan D.; Clougherty Jones, Lydia; and Rollings, Mike. “Applied Infonomics: Seven Steps to Monetize Available Information Assets,” Gartner Inc., November 2018.

2 Lowans, Brian; Hunter, Richard; and Laney, Douglas. “Develop a Financial Risk Assessment for Data Using Infonomics,” Gartner Inc., January 2019.

About the Author

Mark Cassetta senior vice president of strategy at Titus. Mark oversees the product lifecycle from concept to implementation and customer success. He is passionate about customer advocacy and developing long-term partnerships with our global customers.

Since joining TITUS in 2012, he has held positions in marketing, business development and corporate strategy. He has over a decade of experience across application development and enterprise software, managing projects within large-scale technology transformations.

Prior to joining TITUS, Mark was a senior technology consultant at Accenture, managing projects within large-scale technology transformations. He holds a bachelor of commerce degree from the University of Ottawa.  Mark can be reached @TITUS and at our company website www.titus.com