We often see privacy and cyber security working together to manage the risks to organisational data and personal information. But we don’t often see information/data governance and cyber security functions leveraging one another’s tools and expertise, and we notice that our clients don’t ask us for these services together either. In the past, we’ve talked about how data processing inventories (DPI) help us deliver privacy uplift projects to our clients. The post below discusses how DPIs are just as effective at supporting cyber security initiatives.
It’s not a good look when your customers hear about a cyber attack in your environment from the news rather than you. But it looks like that’s what’s happened with digiDirect.
On 30 September, Cyber Daily reported that a threat actor had posted that 304,000 rows of data had been exfiltrated from digiDirect. At the time of writing (more than a month later), no news outlets appear to have successfully received a response from digiDirect (although digiDirect is now displaying a notification on their website, which indicates that they discovered the breach a day after the news item broke), and many customers are relying on third-parties like haveibeenpwned to see if they’ve been impacted in the breach.
B2B organisations aren’t much faster at answering questions about the impact of a data breach either. Vendors and suppliers can take months to notify impacted businesses about a data breach, and then drag their feet answering questions about who may have been impacted then as well.
In our experience, part of the problem is discipline silos, which leads to poor internal understanding of what has/is happening and poor external communication. Cyber might be able to say if someone broke in, but they might not be sure what got stolen, or be able to assess it for significance or business impact. Similarly, data governance teams can be fairly knowledgeable about business information, systems and processes but be in the dark about attack surfaces or what a tier 1 asset is. Cyber and data governance have interconnected domains, but they’re not in the habit of working closely together. Consequently, cyber may respond to data breaches as if they don’t know what’s happened in their own environments. Or they may in fact not know.
This is a call to action. What are we missing when these teams aren’t collaborating? What decisions could cyber make if they were better informed by an understanding of the data they’re protecting? What work could data governance be doing behind the scenes to support cyber in providing front-line defence?
The problem: What we see during cyber security assessments
In our experience conducting cyber security assessments (CSAs) across different kinds of organisations, we often encounter a significant issue: a lack of understanding around data flows and asset criticality. This gap can lead to inaccurate CSA results and makes it challenging to implement effective security controls. Here are a few common themes that stand out:
- Data Location and Ownership: Organisations frequently have an incomplete picture of where their data resides, especially when it involves third-party vendors. Without a clear understanding of data locations and flow, managing security risks and ensuring compliance becomes difficult. This often leads to missed vulnerabilities, especially in outsourced or cloud environments where visibility can be limited.
- Securing Data: Knowing that data is secure requires more than just implementing firewalls and encryption; it demands an understanding of the journey data takes through an organisation’s ecosystem. Many clients struggle with this holistic view, and without it, they often rely on assumptions that their data is safe, which may not always be accurate.
- Sensitivity vs. Necessity: Many organisations can classify their data based on sensitivity, such as distinguishing between public and restricted information. However, they may overlook whether the data is still necessary for business operations or if it is mission-critical. For instance, data may be labelled sensitive but could be outdated or unnecessary, leading to retention of risks without value.
Organisations tend to get fixated on certain aspects of data management, like sensitivity, without fully understanding their data in context. This narrow focus often results in critical business assets being stored on non-critical infrastructure, creating gaps in security posture.
For example, it’s not unusual to find that Tier 1 processes, which are essential to business continuity, are stored on Tier 2 or Tier 3 assets. This mismatch can lead to inconsistencies in both data protection and disaster recovery planning, where high-value data is under-protected simply due to its storage location or the associated processes.
This is where data processing inventories can help
Data processing inventories give visibility over data handling processes while placing those processes in their business contexts. For every process, the DPI lays out what is happening and why: what data is being collected, where it’s stored, how it’s processed and with whom it’s shared, as well as what business function is being served by the process.
We’ve found DPIs to be most in demand by privacy teams. They want to understand where personal information sits in their organisations, and identify where their sensitive personal information is going. But data processing inventories are flexible tools.
When data governance teams complete a DPI, they leave cyber teams with a structured map of the organisation’s data landscape — a vital starting point for building effective, risk-based security measures. Here’s how cyber teams can leverage a completed DPI to enhance protection efforts:
- Targeted risk assessment and prioritised controls
With the DPI’s detailed view of data assets, cyber teams can begin their work with a clear understanding of which data is most sensitive, where it resides, and its movement across systems. This enables them to focus security controls on high-risk areas — such as encrypting sensitive data stores, setting up multi-factor authentication for critical data access points, or establishing stronger monitoring around systems holding personal or regulated information. - Enhanced threat modelling and attack-surface management
The DPI outlines data flows and touchpoints, enabling cyber teams to model threats based on the real paths data travels. This insight helps cyber professionals pinpoint vulnerable areas in data flows, such as external-facing interfaces, cloud storage, or third-party integrations, allowing them to establish targeted defences. Understanding the data journey allows cyber to reduce the attack surface by focusing on actual rather than assumed vulnerabilities. - Third-party security oversight
DPIs typically identify all third parties that process, store, or access data, clarifying the points of data exchange and dependencies. Cyber teams can use this information to strengthen third-party risk management practices, such as by implementing stricter access controls, identifying critical third parties, and setting up continuous monitoring for third-party connections to ensure alignment with internal security policies. - Data minimisation and access management
With a DPI, cyber teams can better manage the principle of data minimisation, as they now know where data is unnecessarily duplicated or over-retained. This allows them to apply security controls efficiently, focusing on active, business-critical data and removing or archiving data that no longer serves a purpose. They can also design role-based access models based on the criticality of data to further enhance access control. - Faster and more accurate incident response
The DPI’s detailed information on data locations and access paths supports a faster, more focused incident response. If a breach occurs, cyber teams can quickly identify which systems hold the compromised data and assess the scope of impact. This efficiency helps reduce data exposure, contain incidents more effectively, and fulfill regulatory reporting requirements with accuracy.
Conclusion
We’ve found data processing inventories to be most in demand by privacy teams, but we think they have so much more to give. A well-maintained data processing inventory provides critical visibility into how data flows within an organisation, helping enhance cyber security efforts by enabling better data protection, reducing vulnerabilities, ensuring compliance, and supporting incident response. In essence, it becomes a foundational tool in maintaining a strong security posture.
If you’re interested in learning more about completing a data processing inventory in your organisation, please contact us.