The CISO knew he had a data leak but he didn’t know how big. He suspected data masking was the solution but he couldn’t make a business case for the investment. Those were the problems RiskLens Risk Consultant Cody Whelan and team set out to solve for this client. (No company names here; we respect our clients’ privacy.)
Read Cody’s notes to pick up the story:
Like many of the other customers that we work with, this team had limited experience analyzing risk scenarios. They were thinking of risk basically as a scary event, and part of the job when we’re onsite is to draw the information out so we could quantify their risk.
As part of the scoping process, we first identified what assets were of most concern from a data leak perspective—in this case, data repositories and SharePoint holding personally identifiable information (PII) and contractual information from clients.
Then we looked to identify the threat community. Their main concern going in was malicious external actors causing an exfiltration of information.
Yet when we asked a few key questions, we quickly came to understand that the most likely concern was insiders either accidentally sending out emails that contain PII or stealing contractual information, particularly as they left the company for other jobs. But the CISO only had a few confirmed cases of data leakage, not a lot of hard evidence to project from.
We also learned through our data gathering that if information does get sent to the wrong person, there were no real procedures in place to notify information security, or DLP solution.
Next, we mapped their scenario to the FAIR ontology [chart], using the RiskLens application. Although we were working with limited data, we could still forecast frequency and magnitude based on the components you see in the chart. (Get an explanation of the FAIR model and the FAIR ontology.)