As Rob said in his comment on Dominic's post, probably both are right. I believe the right approach is a mix of data centric and threat centric security. A good takeaway from Rob's post is the suggestion on working on a basic information categorization instead of using the old sensitivity levels classification model; it's just more natural to people and avoid that "oh my data is too important to me so it's probably top secret".
From the other side, a good view about why a threat centric approach is also important is Dominic's comment about pivoting and the consolidation of information containers. Using the threat centric approach helps dealing with that more than just trying to protect stuff according to classification labels.
This discussion just reinforces my suggestion of having two separate groups within the organization, each one with different roles (threat and protection) and bringing their findings and suggestions to the CSO (or a security architect) to define prioritization and strategy. That's probably how we could get the best from both approaches.
1 comment: