close search bar

Sorry, not available in this language yet

close language selection

A CISO’s guide to sensitive data protection

Anna Chiang

May 25, 2021 / 4 min read

Table of Contents

The SolarWinds software supply chain attack, which was delivered to over 18,000 customers via the company’s own software update process, was the result of malicious code deployed in SolarWinds’ Orion network monitoring software. The Wall Street Journal reported that the attack gave hackers potential access to sensitive corporate and personal data, and The Verge reported that “9 federal agencies and about 100 private sector companies were compromised.”

Takeaways from the SolarWinds supply chain attack

Supply chain attacks are not new, and recent headlines are an important reminder for organizations to look more closely at supply chain risks. That goes for both commercial software producers (companies that produce products and services for other organizations or for the public) and software supply chain consumers (companies that consume materials, products, and services from various third parties). Some of the takeaways from the recent attack are:

  • Producers need to improve how they modernize and secure their development environments and DevSecOps processes.
  • Consumers must ensure they’re using certified and legitimate supply chain software from trusted producers/third parties. They also must improve the criteria for their software acceptance.
  • Companies should re-evaluate how they design and implement their systems and software in order to better protect themselves against increasingly sophisticated cyber attacks.

This is the first of a series of blog posts focused on sensitive data protection and how organizations can better protect their sensitive data and corporate intellectual property, with a focus on application security.

Data protection requires collaboration

One of a CISO’s primary responsibilities is to protect their company’s important digital assets, which can include corporate intellectual property such as proprietary source code and other patented technology or confidential information. However, because of emerging privacy and regulatory laws and standards, CISOs and data protection officers now also need to protect user data—personally identifiable information (PII), personal health information (PHI), and payment card industry (PCI) data.

These new privacy laws are increasing the restrictions on the use, retention, and geographic residency of user data. This requires many organizations to protect this data and its use both internally as well as with third-party vendors that handle this data. CISOs need to work with their colleagues in data protection, privacy protection, IT infrastructure, compliance, and software development to ensure compliance with these data protection and privacy laws, standards, and guidelines. In addition, the emergence and adoption of hybrid clouds and multicloud services creates new challenges for data security. Other factors—the geographic origin of data, storage location, and user access location points—further complicate what services providers and major cloud infrastructure providers need to do to secure their data.

Consumers are concerned about their data privacy

Consumers are becoming more wary about how their personal information is used. The National Conference of State Legislators, citing a report by the Pew Research Center, notes “More than 80% of Americans say they go online on a daily basis. Of those, 28% go online almost constantly and 45% go online several times a day. Consumers are now more aware that businesses, social media sites, and other websites may collect and share their personal information with third parties. They also hear more about security breaches, cyber attacks, and unauthorized sharing of personal information.”

Similarly, a survey of 1,000 consumers from the U.S. and the U.K. conducted by Entrust showed that 79% of consumers said they’re concerned about data privacy, and 64% said that concern has increased in the past 12 months. According to an article from Security Boulevard, the top reasons for consumers’ heightened concerns were news stories about data breaches and seeing an increase in targeted ads on social media.

By 2023, companies that earn and maintain digital trust with customers will see 30% more digital commerce profits than their competitors."

Gartner

|

The State of Privacy and Personal Data Protection, 2020-2022, Aug. 26, 2020

The recent surge in remote work has also resulted in increased worker data privacy concerns. “What we found was that roughly two years ago most companies barely had a privacy team; it was tucked away in a legal office,” says Robert Waitman, director of data privacy at Cisco. “But with the shift to remote work because of the pandemic, privacy has become more important, mainly because employees were uncomfortable with the privacy of the tools available and the need for companies to provide a safe workplace.”

The role of application security in data protection

Understanding how application security ties into data and privacy protection is essential. With the digital transformation happening in many industries, organizations are compelled to digitize their business web presence to more quickly gain and retain new customers versus their competitors. This is especially true in the financial services industryhealthcare, and e-commerce/retail market segments, where usage of mobile and web applications and websites has increased significantly. However, these websites and applications can also serve as attack vectors for hackers who leverage them as entryways into organizations’ databases, which contain sensitive user data that can be monetized on the dark web.

This white paper provides a summary of recent privacy laws and describes how different frameworks and security tools—including application security tools—can help ensure data protection and privacy. Software security services, architecture analysis, and threat modeling of new systems from both a security and systems engineering perspective are equally important. CISOs should work collaboratively with their heads of software application development, third-party application procurement, and systems engineering to better protect sensitive data against potential cyber security attacks that can lead to costly data breaches. The recent SolarWinds software supply chain breach points to the urgent need for improved DevSecOps processes, secrets management, and sensitive data detection throughout the stages of the software development life cycle.

White paper

CISOs Guide to Sensitive Data Protection

Download report

Continue Reading

Managing risk at scale

Managing risk at scale

Charlotte Freeman
By Charlotte Freeman

Apr 08, 2024 / 2 min read

Tags: Software Integrity, Manage Security Risks
SANS report: Securing the shifting landscape of application development

SANS report: Securing the shifting landscape of application development

Charlotte Freeman
By Charlotte Freeman

Apr 03, 2024 / 2 min read

Tags: Software Integrity, Manage Security Risks
Guide to updating from NIST CSF 1.1 to 2.0

Guide to updating from NIST CSF 1.1 to 2.0

John Waller
By John Waller

Mar 29, 2024 / 7 min read

Tags: Software Integrity, Cloud Security, Manage Security Risks
2024 OSSRA report: Open source license compliance remains problematic

2024 OSSRA report: Open source license compliance remains problematic

Fred Bals
By Fred Bals

Mar 19, 2024 / 4 min read

Tags: Artificial Intelligence, Software Integrity, Manage Security Risks, OSS License Compliance
Attesting to secure software development practices

Attesting to secure software development practices

Tim Mackey
By Tim Mackey

Mar 12, 2024 / 2 min read

Tags: SCA, Software Integrity, Secure the Software Supply Chain, Manage Security Risks
2024 OSSRA Report: Outdated code risk in open source components

2024 OSSRA Report: Outdated code risk in open source components

Fred Bals
By Fred Bals

Mar 06, 2024 / 4 min read

Tags: Software Integrity, Security News & Trends, Secure the Software Supply Chain, Manage Security Risks

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security