Yes, you need to understand technology and cybersecurity architecture. No, it doesn’t matter what your business is about – you need to understand this if you want your business to succeed.
No, it’s not “fair”.
No, there’s not enough time in a day.
Yes, you already have too much to do.
Sure, I get all of that. But my observation still stands.
As an entrepreneur and business owner who runs a CyberSecurity and Technology consultancy, there are things I would love to focus exclusively on, too. I could say that sales and marketing and human resource management are not my thing. But, how long could I manage to stay in business if I did that?
I don’t need to be a marketing professional. Or a super sales pro. Or an expert talent scout.
But I do need to understand enough about those areas of my business to appreciate the value of those functions, and to be able to ask the right questions of those who I ultimately hire or collaborate with to make those functions work for me. If I know nothing, I won’t know if my needs are being met at an appropriate cost.
As a business owner, you are also a data owner, and it is likely that you leverage a fair amount of technology in your business operations. You absolutely need to understand enough about data management and data security in order to make good decisions for your business, its employees, and its customers. And this includes understanding just a little bit about how the systems that you depend upon work, so that you can ask the right questions and obtain the right assurances from the right people about the safety of your data.
It is true that I don’t need to be a mechanic in order to drive myself around, but having some understanding of what goes on under the hood of my vehicle will go a long way to me managing it better, and deriving maximum value from my vehicle.
When you are deciding whether or not to store your data with a specific provider, or use a specific service, or purchase a new application – whether cloud-based or on-premises – an understanding of how the prospective solution manages critical and sensitive data is vital to avoiding surprises and gotchas down the road.
Before committing to a new service or vendor, be sure you have good answers to the following:
- Where will my data be, and how will it be protected?
- How will access to my data be monitored, and will I be able to get a record of access?
- What are the policies and procedures around data retention and deletion?
That’s great for the 30,000ft view, but let’s get a little bit more detailed with our requests:
- Who is responsible for securing this data?
- Is my data physically or logically segregated from the data of other customers?
- How is the data secured when it is being transmitted from points A to B?
- Where will the data be stored?
- What encryption algorithms are used to protect the data?
- Who can access the data, and is that access logged?
- How else is the data secured when it is sitting at rest?
- How is the data backed up, and who performs the backup?
- Where will the backups be stored?
- How long are the backups maintained?
- Who can access the backups, and is that access logged?
- What encryption algorithms are used to protect the backups?
- If I opt to delete the data, how long is it before it is actually deleted? (hard deleted)
- What is the process for me exporting my complete data set?
- What processes do you have for monitoring data breaches?
- What processes do you have for informing me of data breaches?
- Tell me more about your security and compliance program?
This is not an exhaustive list of questions, by the way. But it is a good start, and will almost lead to other questions once you hear some of the answers.
Don’t assume that because a company is well known, they are doing the right thing with your data. They might have poor processes. Or, they might have a poor implementation of security. Or, they may offer the security you want at a higher tier than what you are planning to pay into.
This same approach is important for your role as a consumer, not just when you are in business owner or department head mode. Many people use internet services without due consideration of where their data will go, or what a breach will mean to them and their family.
You do not need to become a cybersecurity or technology professional, but you certainly need to understand the data security implications of the decisions you plan to make. A lot of people in 2021 have already made huge mistakes with data management and data security. Don’t become one of them.
A little knowledge doesn’t have to make you dangerous. It could, instead, make you just a little bit safer.