Last week, I had the opportunity to participate in a panel titled “Balancing Access and Security to Data” at the AFWERX Fusion 2019 conference. An incredible cohort of USAF innovators including Adam Wilson, David Knight, and Col. Enrique Oti, joined a panel to explore possible answers to a question that has preoccupied many government agencies for some time. Specifically, how can they take advantage of an increasingly connected world when the effort is complicated by continued hacks, leaks, and inherent downsides of AI (such as poor data quality and collection).
“What is the right balance between security and access for my data?”
On one side of the equation is a desire to make all data easily accessible to those who may need it. Proponents of data accessibility cite rapidly changing operational environments and lagging policies as a key reason for broadened access (i.e., organizational policies don’t promote innovation). The other side of the argument is fueled by pervasive and valid concerns about cyber risk, hackers, and the need to button down databases and access. Advocates of increased security cite loss of critical data to adversarial groups, poor cyber hygiene and increased risk to entire infrastructures, and the need to protect PII and other sensitive data.
The panel members went back and forth, discussing why the answer to this question does not solely point to technology. As we went through the debate, an idea emerged — maybe considering data access and threat prevention as a technology spectrum issue is not the right approach. Maybe a more useful approach is broader. Here’s the idea we discussed.
Balancing data access and security is not a technology challenge. It is an organizational challenge.
Much of our discussion focused on concepts that were not technology-related (or not within the purview of the CIO / CTO) — and for good reason. Establishing the right cybersecurity foundation is critical, to be sure, but it isn’t everything. A number of barriers exist for organizations working to develop a thorough, complete data strategy capable of both securing data and ensuring the right groups (within and outside the organization) can access it. The valid challenges and concerns range from policies that frown on sharing data with external agencies, lack of trust between different organizations, and fears about security compromise.
Key considerations for turning data into secure insight
The panel used the common desire for shared situational awareness across operational teams as a guide for exploring this possibility. Discussing the security risk and the payoffs to sharing, we developed a list of key areas and questions an organization must address as they are working to turn data into insight:
- Do your policies promote or inhibit data sharing and access?
- If a team requires data from another department, how hard is it for them to access it?
- Is your organization using adaptive policies to change access based on different operational scenarios? If not, could it?
- Is your security posture built on a foundation of limited access?
- How are you implementing authentication processes to ensure adequate access?
- How is your team working to stay abreast of zero-day vulnerabilities to ensure the resilience of your systems?
- Is your leadership comfortable with broadened data access? If not, they may sense a loss of control because they are used to having first access to data.
- How does your leadership promote cross-department or agency collaboration?
- How do your employees access the data they need to innovate?
- What data are you collecting and how do you ensure it is clean, structured, and complete?
- How are you designing data strategies to power automation, AI, and other advanced technologies?
- Have you identified gaps in your data, and do you have a plan to close those gaps (e.g., via collection or partners)?
The balancing act and question come down to this — if data is fueling the advanced technologies that are moving your organization forward, is the organization itself prepared to accelerate? Take a look at your culture, policies, and leadership. Before embarking on your data journey, make sure the vehicle is ready to go further, faster.
Tyler Sweatt is a GovLoop Featured Contributor. He is the founder and Managing Partner at Future Tense. Tyler works to identify and address risks and opportunities in changing environments. He advises startups across the cybersecurity, artificial intelligence, and physical security domains, and regularly supports R&D, S&T, M&A and strategy initiatives across DHS, DoD, the IC and Fortune 500 organizations. Previously, Tyler worked at futurist consulting firm Toffler Associates, leading emerging technology and security efforts, and worked at Deloitte where he focused on rapid technology acquisition for DoD. A West Point graduate, Tyler served as a Combat Engineer and Counterintelligence Officer with the Army, serving multiple combat deployments. You can find him on Twitter @Tyler_Sweatt.