Data security management is a multidisciplinary practice for protecting sensitive company data.

Over the years, many approaches have been taken to this practice. Security vendors have developed an array of ‘locks and fences’ and sold them directly to end customers or through managed service providers (MSPs).

As cyber criminals and their tools have become more sophisticated, some data protection methods and network security measures have become less effective.

The protection-to-effort ratio has declined, and the cost-to-protection ratio has increased.

The efficacy of several legacy approaches to data security management has come into question.

Vendors have responded by creating more effective data protection tools to thwart cyber attacks. These tools have replaced once laborious implementations with intelligent automation.

This post will examine some effective and not-as-effective data management practices.

Sensitive Data

Data security management starts with understanding what sensitive data is.

Sensitive data is any information that must be protected from unauthorized access and sharing.

It encompasses multiple categories: contact details, geographic location, financial information, health records, trade secrets, and intellectual property.

All personal data, including name, email address, physical address, date of birth, mother’s maiden name, memberships, and driver’s license number, is sensitive.

Inadequately protected sensitive data can lead to data breaches that could cause harm to individuals and possibly put an entire organization out of business.

Industry-Specific Data Security Management

Sensitive data varies by industry due to the types of data housed and the regulations to which data is subject.


Healthcare organizations typically have more sensitive data than retailers or professional services companies.

The HIPAA Privacy Rule, enacted as part of the 1996 Health Insurance Portability and Accountability Act (HIPAA), establishes national standards to protect individuals’ medical records and other personal health information (PHI).

There are 18 HIPAA Identifiers considered personally identifiable information (PII).

Protected Health Information (PHI) is a subset of PII that includes any information related to an individual’s health status, medical history, or healthcare services that can be linked to them.

Sensitive Data: PII, PHI, and NPI

Finance & Banking

Financial services companies must be concerned about securing nonpublic personal information (NPI) and compliance with the Gramm-Leach Bliley Act (GLBA) privacy rule.

NPI data privacy violations are punishable by fines of up to $100,000 per violation.

Healthcare and financial services organizations require particularly high data security management diligence.

Data-Centric Security

Data-centric security focuses on protecting data wherever it is—on an office server, a remote laptop, or in the cloud.

This approach involves identifying sensitive data, classifying it based on its data type, and implementing appropriate security controls and policies to protect it.

The focus is on protecting data throughout its lifecycle rather than just securing the perimeter of a network with a firewall or a device with anti-malware software.

This approach includes various techniques and technologies, such as access controls, email filtering, encryption, and data loss prevention tools.

Data-centric security can be applied to home offices, remote offices, and public & private clouds.

Discovering and Classifying Sensitive Data

A part of data security management is discovering and classifying sensitive data.

Traditionally, data classification has been a heavily manual process.

While some sensitive data is stored in relational databases, much sensitive data is unstructured.

Widely distributed emails, chat archives, slide decks, documents, and text files contain most of an organization’s sensitive data. 

Automated tools have become necessary for improving data discovery & classification efficiency and accuracy.

Balancing Security and Usability

There has always been a usability/security tradeoff regarding keeping data secure.

Some security requirements and protocols can seem onerous to end-users — discouraging them from accessing specific applications and fully collaborating with others.

The optimal balance of security and usability keeps daily business activities running smoothly while protecting sensitive data and mission-critical assets.

This requires more security management components that operate more in the background and are, therefore, invisible to users.

Data Loss Prevention (DLP) Projects

A DLP (data loss prevention) project is a cybersecurity project designed to detect and protect sensitive data and quickly alert IT managers to data breaches.

In the past, traditional enterprise data loss prevention (DLP) solutions required the development of dozens or hundreds of rules to guard data across its lifecycle.

These rules had to be applied differently based on data type, regulations, and business needs. 

DLP deployments have had a high failure rate for several reasons, including the difficulty of continuously staffing the project with people with the right skill sets. There is an over-reliance on human resources.

Data Exfiltration Mitigation

Data exfiltration, or extrusion, is the unauthorized data transfer from a computer, mobile phone, or other device.

An outsider attacker or a malicious insider can do exfiltration.

The best way to mitigate data exfiltration is to make the data unreadable by the exfiltrators

Conventional wisdom says preventing data exfiltration involves adding enough ‘locks and fences,’ such as strong access controls and employee awareness training.

However, the best solution is to make exfiltrated data useless to thieves. More on this below.

Multi-Factor Authentication (MFA)

A key component of data security management is preventing brute-force attacks using known user passwords on various business accounts.

Business email accounts can contain a wealth of sensitive information. Too many of them are only protected by a simple password that a bad actor can discover in minutes.

To their credit, organizations have improved their internal MFA enforcement. Centralized tools like JumpCloud and Cisco Duo incorporate single sign-on (SSO) to increase user convenience.

Security awareness training programs have led to a greater employee understanding of the risks of poor online account protection.

However, hackers have bypassed even the strongest forms of MFA, and push notification attacks are a growing problem.

Addressing Computer Vulnerabilities and Exposures (CVEs) reports almost a quarter million publicly disclosed computer vulnerabilities and exposures at any time.

The scale of cybersecurity vulnerabilities is staggering, to the point that even the National Institute of Standards and Technology (NIST) has struggled to keep its database up to date.

According to Tenable, a single CVE example is a SQL database injection that “can read sensitive data from the database.” 

This underscores the urgency for proactive measures, as even security appliances like firewalls have become attack surfaces.

A major caveat is the significant delays between vulnerability discovery and patching. A survey by Orange Cyberdefense concluded that organizations take an average of 88 days to patch critical cybersecurity vulnerabilities.

Worse, major software vendors can’t be relied upon to sufficiently prioritize enterprise security and risk management to thwart cyber threats.

Organizations take an average of 88 days to patch critical cybersecurity vulnerabilities.

This means that despite the best efforts of IT departments, unpatched software and firmware are growing chronic vulnerabilities, resulting in a persistent game of ‘catch-up’ within the data security management domain.

Dynamic Data Encryption

An emerging component of data security management is dynamic data encryption.

Sensitive data can be identified, classified, and automatically encrypted rather than relying on static, manual processes.

SSN Card Encrypted

Encrypted sensitive data is always secure: when created, inside and outside the organization, when in motion, when used, and even while dormant.

It can only be decrypted with a sentry app and an organization’s decryption key.

The many data security ‘locks and fences’ that businesses have installed over the years eventually show signs of rust.

Hackers have become more effective at picking locks and getting past traditional fence gates.

Despite following best practices for protecting systems and devices from cyber attacks, organizational data remains at risk.

A dynamic approach to data security management is needed to protect businesses from ever-evolving threats.