For Data Protection, Easy Does It

Guest blogger: Derek Brink, Aberdeen Group

In the realm of information security, the traditional trade-offs security professionals seek to balance, such as effectiveness of security, total cost of ownership, and convenience for users have been the relentless targets for continuous improvement by innovative solution providers. Anyone who has been working in this field for a length of time would have to admit that today’s security solutions are more capable, cost-effective, and much easier to use than the security solutions of 20, 10, or even five years ago.

But there were over 3,200 publicly disclosed data breaches from 2017-2018, which averages to between four and five data breaches daily. Although the median number of records disclosed to unauthorized parties was relatively small (about 1,300 records per breach), there were 114 data breaches of 1M records or greater during this two-year period – or, about one mega-breach weekly.

How can these two observations be reconciled?

In Aberdeen's view:

  • Solution providers continue to enhance capabilities and the effectiveness of security solutions, focusing on driving down the total cost of ownership for enterprise buyers. As evidenced by the existence of an estimated 3,500 companies in this space, this is clearly an important problem to solve.
  • Security professionals must continue to mature in their ability to quantify security- related risks and communicate more effectively about risk using business terms that resonate with management, understanding that to this audience, total cost of ownership for security solutions only becomes relevant in the context of how the investment reduces risk. In layman’s terms, it’s a question of whether the juice—reducing their risk to an acceptable level—is worth the squeeze— the total cost of implementing the solution.

Which brings us directly to convenience and ease of use, the third leg of the traditional trade-offs. It can be tempting to question how much these tradeoffs really matter, but don’t fool yourself – they matter quite a bit, even if they are often neglected. For example, when reviewing the topic of enterprise collaboration, Aberdeen’s benchmark research revealed a significant misalignment between business users and technical staff regarding this important question.

  • Both groups agreed that data privacy and data security are leading concerns, especially when collaboration involves valuable enterprise data such as intellectual property or confidential information, or regulated data, including cardholder data, personal health information, or personally identifiable information.
  • But business users and technical staff had significantly different views on cost and the ability of IT to support business needs. The issue is not that these projects aren’t sufficiently funded—in Aberdeen’s study, most respondents indicated a year-over-year increase in resources allocated. However, business users perceive their needs changing faster than technical staff’s ability to keep up.
  • But when it comes to results, the net satisfaction of business users (both internal and external) with current enterprise collaboration initiatives was about 60% less than the technical staff perception. For business users, convenience and ease of use has a significant impact on net satisfaction and the extent to which they embrace a given solution – or continue to look for shortcuts and workarounds.
Data breach cost analysis

Unless you work in an organization with a strict command-and-control, “do it my way or hit the highway” culture, solutions that are inconvenient or difficult to use are unlikely to fully achieve intended business objectives. For example:

  • Aberdeen’s study on web site performance confirmed what most of us already know from firsthand experience: the longer the response time, the likely users are to abandon the site and move on—with 20% abandonment after a delay of just 3 seconds.
  • In another dimension, a user experience that required an additional, overt authentication step to be taken was found to result in abandonment rates of as high as 20%, with a most likely range between 4% and 10%.

For these reasons, solutions that make it easy for business users to collaborate securely with external parties when valuable or regulated data is involved, using familiar productivity tools—as exemplified by PKWARE’s secure email solution—will have the fastest path to acceptance and the highest likelihood for success.

For successful data protection initiatives, “easy” does it.

PKWARE’s Secure Email solution makes it easy to share sensitive information, without compromising data security and without the frustrations of a secure email gateway system.

Derek E. Brink, CISSP

Vice President and Research Fellow, Aberdeen Group
Adjunct Faculty, Harvard University and Brandeis University
www.linkedin.com/in/derekbrink

Find more posts by: Derek Brink