Let’s be blunt: the mindset that “our data isn’t that sensitive” is a dangerous fallacy. It’s a blind spot that leaves organizations vulnerable and undermines the very purpose of collecting and storing information in the first place. We need to shift the paradigm.

All data is sensitive data. It’s not just about Social Security numbers, credit cards, and health records; it’s about the lifeblood of the organization itself. As security professionals, we need to not only understand this intellectually but also internalize it and champion this perspective within our organizations.

Think about it logically:

• Value: Why are we storing this data if it holds no value? Whether it’s customer interaction logs, internal project details, supply chain information, or even employee attendance records, this data informs decisions, drives operations, and provides insights. If it has no value, delete it. But if it’s being kept, it serves a purpose, and that purpose imbues it with value.
• Trust: Can you make sound business decisions based on data you don’t trust? Data that’s been tampered with, is incomplete, or is inaccurate is worse than useless – it’s actively misleading. If the data has value to you, then someone can benefit from altering it and breaching your trust in it. Security breaches don’t just expose information; they erode the integrity of the data itself, rendering it unreliable. SOX is one of the few compliance requirements that aims to establish trust in the accuracy of the data it governs. But you must have trust in all your data.
• Operational Necessity: Consider payroll data. It might not be classified as “highly sensitive” under some compliance regulations in the same way as financial account details. But can you imagine the chaos and legal ramifications if payroll data were manipulated? The impact is significant, even if it doesn’t fit neatly into a specific compliance box.
• The Liability Factor: In today’s landscape, data breaches aren’t just about the direct loss of information. They trigger reputational damage, legal battles, regulatory fines, and a loss of customer trust. Even seemingly innocuous data, when exposed in the wrong context or combined with other compromised information, can create significant liabilities.

Insecure data is useless, misleading, and a liability. It’s better not to store data than storing it without securing it.

Databases: The Fort Knox of Your Organization’s Information

Where does this valuable, potentially liable data reside? Predominantly, in your databases. These are the repositories that house the raw ingredients for insights, decisions, and actions. Neglecting their security while focusing solely on endpoint protection is akin to building a sand castle around an unlocked treasure trove.

Why the disconnect? Perhaps it’s the perceived complexity of database security, the sheer volume of databases within an organization, or the allure of more visible threats like malware. But the truth remains: insecure databases are a gaping hole in your security posture.

Moving Beyond the Fallacy: A Call to Action for Security Professionals

We, as security professionals, have a responsibility to champion a holistic view of data security. That means:

• Educating and Advocating: We need to articulate the inherent value and potential liability of all data to our colleagues and leadership. We must move beyond the compliance-driven definition of “sensitive” and emphasize the business impact of insecure data. Use real-world examples within your organization to illustrate the point. Wherever there’s data, there’s someone who will benefit from modifying or stealing it.
• Embracing a Risk-Based Approach (Intelligently): While the ultimate goal is to secure all data, there’s the reality of resource constraints. A risk-based approach can help prioritize efforts. However, this prioritization must be informed by a comprehensive understanding of the potential impact of a breach, not just a narrow definition of sensitivity. Basic security must be applied consistently across all databases, and better security to the ones with higher risk.
• Prioritizing Database Security: Database security must become a core pillar of our security strategy, not an afterthought. For most databases, we can start with basic security like access control, encryption, change control, and basic monitoring. Initially using advanced activity controls only on more sensitive information. But the ultimate goal must be robust security of all databases.
• Building a Data Security DNA: Protecting data and databases isn’t the same as managing anti-viruses or filtering SPAM. It takes time, training, and management sponsorship to move the security and technical teams to a place where data security is a natural part of having data. We need to build a culture where data security is ingrained into all IT and security operations and everyone understands their role in safeguarding information.
• Iterative Improvement: We recognize that securing all databases to the highest standard overnight is not realistic. The journey towards robust database security is iterative. As the organization’s security maturity evolves, so too will its ability to implement more sophisticated security measures across its data landscape. The key is to start now and continuously improve.

Final Thoughts

Investing solely in firewalls, antivirus, and email security while neglecting database security is a blatant misallocation of resources. It’s like putting all your eggs in the wrong basket.

Let’s shift the narrative. Let’s help our organizations understand that all data is valuable, and therefore, all data is sensitive. By making database security a cornerstone of our strategies, we can truly protect our organizations’ most critical assets and build a more resilient and trustworthy digital future. It’s not just a logical conclusion; it’s a business imperative.