A fundamental fiduciary responsibility of any Chief Information Security Officer (CISO) is to protect the information/data assets of the organization they are a part of.  There are many different approaches that can be taken to achieve the level of data protection that the organization desires, with an eye to lowering their overall information risk levels while managing the cost of protecting information.

Data plays a crucial role in any organization.  Data is valuable.  Data often equals money or competitive advantage for most companies.  Different types of data are often valued differently, depending on where you sit in the organization.  Being aware of the *actual* value of the data assets and the impact of their loss to your organization is key to deciding on the level of data protection that should be applied to various data types.  This same knowledge can also assist in the prioritization and cost justification of your data protection investments.

Remember, data has a life of its own!  The data you seek to protect may be found at rest, in motion, or being used by systems or applications.  And, I've not even mentioned what volume of and type of data you are seeking to protect, and how far and wide it may be spread (plus, add in the complications that would be imposed by cloud computing or other complexities).

Following the model of employing defense in depth, the combination of methods and technologies brought to bear that address the level of data protection must be employed to meet the confidentiality, integrity, and availability requirements appropriate to the data for the organization.

Confidentiality of data can be managed through the use of technologies such as encryption and access control.  Managing the integrity of data is a bit trickier because we can typically only detect changes made to data after the changes have been made.  We can see that a change has occurred through hashing or redundancy checks, through the use of digital signatures or the employment of trip wire methods.  In general, it's really tough to prevent changes to data!

As for ensuring the availability of data, this is an area that can drive the bulk of your costs to maintain and protect data.  Often, there are many computing or networking resources involved, with a variety of controls employed in each realm.  Whether network- or host-related issues are involved, vigilance is required to reduce risk exposures inherent to the specific resource.  Building in redundancy is a popular method, and can sometimes be a costly way to keep data available.

Keep this in mind; the efficacy of your data protection program will be measured by how well the many facets are managed, in isolation and in combination with one another.  And, across the peer group of seasoned CISO's with whom I regularly connect, we've all learned many of these lessons from at least one data protection failure!  It's all about how you respond to these unwelcomed, yet valuable learning experiences!