Data Security as a Vector

Suchit Mishra — 4/6/2023 — 5 Min Read

Over the weekend, I was reflecting on why certain companies are way more successful than others and came across this amazing write up by Dharmesh Shah, founder and CTO of HubSpot where he recounts his interaction with Elon Musk who once told him that:

"Every person in your company is a vector. Your progress is determined by the sum of all vectors." --- Elon Musk

Dharmesh's article is a must read for any startup founder. To paraphrase Dharmesh's interpretation of what Elon meant: a vector is a quantity having both magnitude and direction. So, if we consider each person in the company as a vector, we could add them up, get a sum of all vectors and represent that sum with a single, new vector. That new vector is basically the direction and momentum your company is moving.

That got me thinking about the term *vector *as it relates to security. During my tenure as a security leader at hyper growth companies, the recurring message I got from the top leadership was,

"Suchit, you should definitely build the right security culture but you cannot slow down the engineering velocity."]

Let's unpack that, engineering velocity includes speed of execution which is a magnitude and the best teams are not only moving fast but also directionally adding great value for the customers, eventually growing the business. So, engineering velocity in that sense is a vector.

For better or worse, security at most tech companies is treated as a scalar, we do the best we can in managing the risk. There are lots of good theories but truth be told, there is no strong evidence of security initiatives directly propelling the growth of the business. Unless of course you are in the business of selling security products or services.

At the recent re:Inforce 2022, Amazon's CSO, Stephen Schmidt re-hashed the layered defence model where he categorically mentioned that humans and data don't mix well and so any time you store or process data it should be intentionally controlled, intentionally encrypted, and intentionally protected.

And the most important question to ask as a CSO is Who has access to what and why?

Photo credits: AWS re:Inforce 2022 --- Keynote

So combining these two schools of thought, I am of the opinion that a good security program should technically start with understanding what data the organization has, where all the data is, and who has access to it. Ultimately, data is the new oil or so called crown jewel for many organisations. Data is a vector because it grows in volume and at the same time adds to the monetary value of the business. From an attacker's lens, the more data the organisation has, the more lucrative the booty, and that's the vector they are looking for to maximise their return on investment.

Given this, I would imagine that all the defenders would first focus on the aspects of data security but sadly, that's not the case.

As tech pros we are more attuned to solving B+ problems than A+ problems. What do I mean by that? Most engineers will solve problems they understand how to solve and within their control. A+ problems are high impact for the company but very hard to do as you cannot come up with an easy solution. Data sprawl and managing security of the data across any medium to large sized company is an extremely hard and multi-dimensional problem, because it not only requires a very high degree of collaboration and alignment across teams of people, but also a high friction activity. Basically, the vectors within the organisation do not add up. Which is why security pros eschew taking it upon themselves to lead and own this problem child.

So what do we do instead? Gravitate towards effectively managing the security at the other layers viz. perimeter, network, endpoint, and application. The supposition is that if we keep the bad guys out through this layered defence approach, the company's data will be safe. Not suggesting we should not do that. Those layers are definitely necessary but not sufficient. In today's fast growing cloud native organisations, it is nearly impossible to get your arms around the data flowing in and out via the other layers of the defence.

On the other hand, the cyber criminals who are not encumbered by these organisational challenges go after compromising the systems that have the highest number of data records and directionally position themselves to maximise their booty.

And therein lies the asymmetry.

Defenders are totally ill-prepared and not in a good position to protect the crown jewels. Without the data context, we are really missing the why a security issue at the network layer or application layer or endpoint needs to be fixed.

As a result, directionally, the defenders don't seem to be aligned towards maximising their chances of protecting the company's crown jewels while the attackers are perfectly placed to exploit and compromise the same. And as long as this asymmetry exists, the bad guys will always win.

The topic of data ownership and security of data has always been a grey area, something nobody wants to own but at the same time, everybody in the organisation wants to use and/or monetise the data.

Personally, I feel the security team should step up and take the lead in managing this risk. Business needs to unlock the potential of data and use it for competitive advantage. The security team simply locking it down won't help. There is a dire need to re-think the approach required to balance data security and business needs.

As security leaders we rarely get a seat at the business table because we tend to act as gatekeepers who slow everything down and don't add value. In the cloud world, as security practitioners, we need to shift our mental model from a traditional castle and moat approach. Instead, pivot to a data first security construct and move from being a gatekeeper to building the guardrails for the new data economy. That's the vector that will change the game in our favor.