Three Steps to Build a Comprehensive Data Security Strategy

Erica Toelle: Hello, and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, senior product marketing manager on the Microsoft Purview team. And now let's get into this week's episode.

Erica Toelle: Welcome to another episode of the "Uncovering Hidden Risks" podcast. In today's episode, we will discuss how customers can think about planning a comprehensive data protection strategy as they continue their digital transformation efforts. We will cover how to balance data security and productivity and how to create an end-to-end protection strategy. Let's start by introducing today's guest host who will join us for this discussion. Liz Willets is a senior product marketing manager on the Microsoft Purview marketing team. Hey, Liz. Would you like to share a little bit more about your background and experience? 

Liz Willets: Thanks, Erica. Yeah. I'm super excited to be here. And as you mentioned, I'm a product marketing manager on the Microsoft Purview team, and I'm leading the cross-suite efforts around our data security solutions. And so this has been a really exciting space, you know, one that's evolved a lot since 2020 as customers just faced this explosion of data growth, you know, from digitalization and hybrid work. And so with that really comes this need for a foundation of data security. And so I'm really excited to chat more about that today. 

Erica Toelle: So glad to have you. And next, let's go ahead and introduce our episode guest. So Raman is a director of product marketing for Microsoft 365 security and a former host of the "Uncovering Hidden Risks" podcast. Raman, would you like to reintroduce yourself to our new listeners and share a bit about your background and experience? 

Raman Kalyan: Yeah, absolutely, Erica. Thanks for having me. This is awesome to be back on "Uncovering Hidden Risks." I mean, I think the last time I was on here was hosting, as you mentioned, in - what, Liz? - must have been, like, 2020 I think. Maybe. It's been a long time. A lot has happened since then, so excited to be back. And, yeah, so I'm on the Microsoft Purview team as well. My team looks after the broader sort of, you know, data security set of solutions that we take to market, including insider risk, communication compliance, data loss prevention, eDiscovery, et cetera. And so excited to be here to talk to you about that. I've been at Microsoft for - wow - over 15 years now. So a lot has gone on. A lot has evolved. And I'm looking forward to where we go from here, especially in this age where we, as an organization, are really sort of here to help customers safeguard their data - right? - keep their data safe. And that's what we're here to talk about today. So excited. 

Erica Toelle: With that, let's jump into our first question. So, Raman, to set the context for this podcast for our listeners, could you please tell us a bit more about why a comprehensive data security approach is important consideration for companies today? 

Raman Kalyan: Yeah, absolutely. Erica, global market for data security solutions is growing rapidly, right? It's primarily driven by the increasing volume of sensitive data that's being generated and stored. And as you think about, you know, how it's being generated and stored, you have to really think about this multi-cloud, hybrid environment that we're in, and that's not going away. And so that really - that landscape really sort of drives this growing threat of not only cyberattacks, but then also internal data breaches, right? 

Raman Kalyan: And one of the stats that, you know, we recently came across was that 83% of organizations have experienced more than one data breach in 2021, 2022, of which 20% of those data breaches are caused by internal actors within the organization. Now, this can be both inadvertent or malicious, right? But the average cost of those data breaches are approximately $4.2 million when a malicious insider is involved. That's huge. That's a huge amount of money, significant risk for these organizations. And it's just going to continue to, you know, be a big challenge for them. And so while data leaks and thefts might be overshadowed by external threats in the past, they've become one of the most important vulnerabilities and risks that a organization needs to address today. 

Raman Kalyan: And from there, you know, as you think about how organizations are trying to address these challenges, they really are taking more of what we would think of as a fragmented approach, right? We had some recent Microsoft research that showed that 80% of decision-makers purchase multiple products to meet their compliance and data security needs, with the majority of them purchasing three or more products. Not only is that complex to manage, but it's expensive, and it's likely not going to deliver the kind of results that you're looking for in terms of trying to protect your data effectively, right? And so really trying to reduce this complexity, taking a more integrated approach and really focusing on what is important and how to control this risk, getting visibility into your data and then focusing in on how you can prevent data loss from not only external actors but, more importantly, internal actors is really, really important. 

Erica Toelle: So when you're thinking about a comprehensive data security solution, how do you do that without hindering employee productivity? 

Raman Kalyan: Yeah. You know, that's a great question, Erica. When I think about how organizations approach data security - right? - typically, the solutions that they try to use today involve traditional approaches that can be - you can consider it like a hammer-and-nail approach, right? You're just taking a hammer to this whole thing. And the hammer doesn't work. You turn the dial to the right, and all of a sudden you have, you know, blocked everyone from sending emails outside the organization, or you have blocked everyone from downloading content from a specific site. So organizations recognize that that's a challenge. And what they do then is they say, OK, well, great, I'm going to try to implement a set of rules to help me control that risk. Well, those rules need to evolve. They need to be dynamic. But that's not the nature of the traditional tools that help you try to protect your data within your organization. 

Raman Kalyan: And so what's really important is to say, what is the risk level of a particular individual as they're actually interacting with that particular data set - right? - and really zeroing in on that. And there's some exciting things that we're going to talk about later in this podcast that really get to that, which is focusing in on not only what is the most important sensitive data that you need to protect but then ensuring that it's protected from the users that may be of the highest risk within your organization or from external actors that may be of the highest risk. 

Erica Toelle: So, Liz, I know you've been doing a lot of work in this space, speaking with customers. How are you seeing teams and companies implement an effective data security strategy? Like, what steps should they take? 

Liz Willets: Yeah. That's a really great question, Erica. So, you know, thinking about the steps you need to take in order to implement an effective data security strategy, you know, just think about what companies ultimately want to do. And back to Raman's point earlier - I'm going to put it plain and simple - they really just want to prevent someone from taking their data, right? And so organizations really need to create an integrated and holistic data security approach to keep that data safe regardless of where it lives. And so kind of what that looks like to me is three-pronged. First, they need to simply just have visibility into their data estate - so really focused around discoverability. Is that data on premise? Is it hybrid? Is it multi-cloud? And then similarly, they need to protect it. You know, they need to classify, label items as highly confidential. They need to encrypt data. And so having visibility into the data estate is super important. 

Liz Willets: I think, second, I would say they really need to identify risk and then mitigate that risk, right? And so they can do that by correlating signals to identify user intent. So, you know, say I uploaded a file onto my USB. That single action itself doesn't necessarily, you know, give you much insight into my intention, but if you're able to correlate, you know, a series of actions - yes, I uploaded it to my USB, but then I renamed that file. Then I send it to my personal email address, et cetera. You know, now you can really understand what I'm doing with that data and that it might actually be at risk of something like data theft. So that identification of risk is super important. 

Liz Willets: And then thirdly, you know, once organizations, they know their data, they know their risks and the actions that users might be taking against that data, they next need to - and probably ultimately need to prevent that data loss. And so that could be just having a data-loss prevention policy in the first place. Or as Raman kind of alluded to, that could also be identifying Liz, a high-risk user - she's clearly trying to evade detection here - can we block her? Can we block her from accessing other classified documents to help reduce that risk? And so really, as companies think about their approach, they really need all three layers. They need that visibility and protection. They need to understand risk. And then finally, they need those policies in place to actually prevent their users from taking that data. 

Liz Willets: And so kind of as we think about those last two pieces, understanding the risky activities and preventing that data loss - Raman, I know that you were part of the team that actually brought insider risk management to market a few years ago, and so I would love to hear about, you know, how you thought through that whole scenario of leveraging insights from risky insider activities to actually inform data loss prevention strategies. 

Raman Kalyan: Yeah, absolutely, Liz. Yeah, it's been an interesting journey with insider risk, right? I mean, it all started with a conversation with our CISO, asking him, you know, what kept him up at night. And he said, well, you know, I'm concerned about all the geopolitical stuff, all the macro things that are happening out there, but really, the things that maybe keep me up at night are insiders at Microsoft. And from there, we went down this journey of developing insider risk management. And so four years later, here we are. And I'm excited about where we're going with not only insider risk management but the integration with data loss prevention, to your point. 

Raman Kalyan: So when you think about, you know, in the past, admins might receive a ton of alerts when files containing sensitive information is being shared, transferred, copied or printed across the organization, right? And this can be overwhelming for their resources, for their operations. It's draining to triage and address all the alerts when there is limited insight into why the alert is being generated. Is the file sensitive? Is the user really trying to take the file? What else was the user doing as part of that particular sequence, right? 

Raman Kalyan: And this is where you can leverage the machine learning-driven analysis that is inherent as part of insider risk management to really identify risky user behavior and take those signals and then pass those signals to a solution like data loss prevention and then dynamically update the DLP policies for that particular user to ensure that that user - if their risk levels passes a certain threshold that you might have identified, then that user cannot do X, Y, Z. Could be, I'm going to warn them as a first step to say, hey, you're sharing sensitive files outside the organization. Could be, hey, they ignored the last three warnings. They're also submitting their resignation. You know, they've also submitted their resignation. They may have been downloading a significant amount of other sensitive information. And so their risk level seems to be pretty high. So at this point, you might actually want to block them, right? But that's interesting. 

Raman Kalyan: Going back to the point that, you know, Erica - or the question Erica asked me at the beginning, which was around how do you ensure you don't hinder employee productivity? Well, there, everybody else within the organization or most people within the organization aren't going to get blocked because they're not doing these risky type of activities, right? And so that's where the power of machine learning and understanding the user risk level as they interact with your data and understanding whether that data is sensitive or not and what they're doing with it and what they've done with it in the past up to that point is so important. That's where you can leverage the power of our solutions to really kind of build upon or really kind of bring this data security to life, Liz, right? 

Raman Kalyan: You understand the sensitive data. You understand the risk level of the user as they're interacting with that data. You then dynamically apply DLP policies to the most riskiest users for the most critical data. And you do this on an ongoing, automated way, right? And that's where adaptive protection - it's this new capability that, you know, we're launching that really sort of brings this all together, right? It's context-aware detection, dynamic controls and automated mitigation so that you're taking the burden off of your security teams and presenting them with the most critical risks that they can then take action on. But in fact, the solution's already taking action on their behalf before it gets - you know, before it becomes too big. 

Erica Toelle: I think I just had an aha moment. So in the past, we were talking about this balance between productivity and security because we were having to kind of overprotect in case one of these incidents happened at the expense of everyone. And what you're talking about is, instead of having to apply it to everyone, detecting that risk and just mitigating it from that person. I love this. 

Raman Kalyan: Yeah. It's awesome. 

Erica Toelle: I mean, this sounds great. So how would you recommend that teams prepare for this or get started on this type of data security strategy? 

Raman Kalyan: Yeah. So that's a good question, Erica. I think, you know, what I would recommend is, you know - first of all, this set of capabilities that we're talking about is available in Microsoft 365 E5, right? And so getting started with it is really easy. You have an E5 license? Great. You can go into insider risk management within your Microsoft Purview compliance portal and go ahead and run analytics within insider risk management. That will give you a - within 24 hours, you'll get a view into the different types of risks on a percentage basis, not at an individual basis. So you're not really - you're looking at it in aggregate. You get a sense of the types of risks that are occurring within your organization. What percentage of your individuals are actually sharing sensitive information outside the organization? How many are downloading sensitive content onto their desktop? 

Raman Kalyan: In addition, we actually also have the ability to - since we've integrated with Azure Active Directory, we have the ability to actually understand whether users with a resignation date are also doing those types of things. So it kind of gives you that sort of sense of what's going on within your organization. From there, you can then go ahead and quickly turn on a policy. To get even more detail, you can set up, you know, adaptive protection within there. At the same time, you know, I would recommend turning on data loss prevention, just having it run in audit mode within your organization. And then you can combine the two, like I mentioned, with adaptive protection to really sort of take that identification of risks and, you know, really sort of map it and correlate it with prevention of data loss. And, of course, if you don't have the E5 license, you can go ahead and get a trial, and that's easy to do as well. 

Liz Willets: Yeah. That's great, Raman, and we're super excited about adaptive protection. It really seems like it's kind of the future of the data security market, as we help customers as they continue to evolve their needs, right? Would love to hear, you know, how you kind of see the data security space continue to evolve over the next couple of years. 

Raman Kalyan: Yeah, absolutely, Liz. As I mentioned at the beginning, just - organizations are going to continue to create more and more data. And not only that, but the types of data is going to evolve, right? As you, you know, think about podcasts, as you think about videos, as you think about audio, all of those things are becoming more and more prevalent within these organizations. And with that becomes - or comes more digital threats to, hey, I've got a recording that might have sensitive, you know, conversations. How do I protect that recording from threats, right? 

Raman Kalyan: And you're also probably going to see, you know, more stringent data security laws, like we saw with GDPR. And privacy is paramount, right? Private data needs more security due to its sensitive and confidential nature. So need to take that into account as part of data security strategy, right? How do you protect that data? How do you identify it? It all goes back to those three foundational principles that we outlined in the beginning - right? - understanding and getting visibility into your data estate, identifying the risks and then mitigating against those risks. That's the three-pronged strategy that you need to take to really ensure that you can effectively protect your data. 

Erica Toelle: Thank you so much, Raman and Liz, for joining us today. That's just about all the time we have. So to wrap up, I'd love to ask a question that we ask all of our guests. What is your personal motto, or what words do you live by? 

Liz Willets: So this is just off the cuff, but I always used to say in my past career that I like to get stuff done. And so I'm somebody who likes to just check off a to-do list, and that's kind of how I live my life. So that's my motto. 

Raman Kalyan: Awesome. I love that. That's great. My motto is focus on what's important and maximize your time because time is something that is finite, and it is not something that you should waste. So whatever you do, focus on the thing that's going to have the highest impact, and the things that aren't, let those go, and don't worry about it. 

Erica Toelle: I love both of those. 

Raman Kalyan: Erica, what's your motto? 

Liz Willets: How about you, Erica? 

Erica Toelle: Normally, I don't get asked, but I love that. So I'll combine both of yours and just say maybe a theme for right now, which is sometimes done is better than perfect. 

Raman Kalyan: Yeah. Absolutely. Keep moving. 

Liz Willets: I like it. 

Raman Kalyan: Keep moving forward. 

Liz Willets: Good way to wrap it up, too (laughter). 

Erica Toelle: So thanks again to you both for joining us today on this episode of "Uncovering Hidden Risks." Really appreciate your insights and sharing that with our audience. 

Raman Kalyan: Thanks, Erica. Thanks, Liz. 

Liz Willets: Awesome. Thanks, Erica. Thanks, Raman. 

Erica Toelle: We had a great time uncovering hidden risks with you today. Keep an eye out for our next episode. And don't forget to tweet us at @msftsecurity or email us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to "Uncovering Hidden Risks" on your favorite podcast platform, and you can catch up on past episodes on our website, uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs, and it's up to you where to focus.