Perforce Software – a DevOps company for global teams requiring speed, quality, security and compliance at scale along the development lifecycle – recently announced the findings of the Delphix 2024 State of Data Compliance and Security Report. The inaugural report delivers research on the challenges of protecting sensitive data in non-production or lower environments, such as development, testing, analytics and AI/ML.
“Our goal with this report is to share the realities of sensitive data exposures in non-production to help enterprises better protect their data moving forward,” said Ann Rosen, Director of Product Marketing for Delphix by Perforce. “Protecting sensitive data – data with personal identifiable information (PII) – in non-production has become more important over the years as cyberattacks target these environments. Companies need to do more to protect sensitive data.”
The report also reveals that the challenge of protecting sensitive data will only get more complex with the rise of AI. Over four-fifths (85%) of enterprises report concerns about regulatory non-compliance in AI environments. Even more troubling, 68% of organisations surveyed perceive a lack of solutions to tackle data privacy in AI environments.
“AI is transforming industries, and data is at the heart of AI,” said Rod Cope, Chief Technology Officer of Perforce Software. “When it comes to AI and data, it can be a double-edged sword. There’s a lot of excitement around the innovation possible in AI, but data in AI environments must be protected. The findings in the State of Data Compliance and Security Report underline the importance of complying with data privacy regulations in AI environments, too.”
Overall, 91% of organisations are concerned about the expanded exposure footprint across all lower environments (including software development, testing and data analytics). Yet 86% of organisations allow data compliance exceptions in non-production. As a result, 54% of organisations have already experienced a data breach or theft involving sensitive data in non-production environments. In Delphix’s experience, if this data is not protected, the consequences can be dire. Over half (53%) have already experienced audit issues and failures related to non-production.
To mitigate these concerns, organisations are turning to tools and approaches like static data masking, cited as a current solution by 66% of organisations surveyed.
“We hear all the time from customers that exceptions are given because it’s too complicated and time-consuming to achieve compliance without slowing down development or impacting quality,” said David Wells, Product Lead of Compliance Products for Delphix by Perforce. “At Delphix and Perforce, we believe that with the right approach, you can achieve compliance rapidly without bottlenecking innovation. Static data masking is the best way to protect your test and development data. You need production-realistic data to detect defects as early as possible in the development lifecycle, but you certainly shouldn’t use production data for this purpose. That’s why we’re continuously evolving Delphix masking solutions to meet the ever-expanding data compliance landscape, regardless of data source or environment.”
We hear from Haider Pasha, CSO, EMEA & LATAM, Palo Alto Networks; Samantha Kight, Head of Industry Security, GSMA; Christian Have, CTO, Logpoint; Nick McKenzie, CISO, Bugcrowd; and Ed Macnair, CEO, Censornet, who share their thoughts and advice on how security leaders can protect data alongside sweeping innovations.
Haider Pasha, CSO, EMEA & LATAM, Palo Alto Networks
A key way to balance strong security and compliance measures with the need for innovation is by integrating security into the early stages of the development lifecycle, known as ‘shifting left’.
By embedding automated security controls and compliance checks within CI/CD pipelines, security becomes an inherent part of the process without slowing down innovation. Automation reduces the chances of human error and ensures that security checks are not sacrificed for speed. Integrating such checks and controls directly into the pipeline means security becomes a natural part of the development process rather than an afterthought.
This also helps foster a DevSecOps culture, where security is integrated into DevOps from the beginning. This means the development, operations and security teams work together, ensuring security policies are continuously applied without hindering innovation. CISOs can promote this approach by ensuring developers have the tools and knowledge to implement security early and often.
In addition, CISOs can streamline compliance by adopting ‘compliance-as-code’ practices, where compliance specifications are written in code and integrated into the automated deployment pipeline. This allows for automated, real-time assessments that align with regulatory standards.
While balancing speed and security, making sure continuous monitoring is in place is also vital. This can be helped by leveraging AI and Machine Learning, enabling adaptive security policies that respond to emerging threats in real-time. This dynamic approach ensures that security policies evolve without hindering innovation.
It’s also worth highlighting that instead of attempting to secure every potential risk equally, organisations should take a risk-based approach where security efforts are focused on the most critical threats. CISOs should use intelligence and analytics to identify and prioritise risks that could have the greatest impact on the business, ensuring that speed and innovation do not compromise core data security.
By adopting these strategies, CISOs can maintain a strong security posture while fostering innovation and accelerating the development cycle in modern, agile environments.
Samantha Kight, Head of Industry Security, GSMA
In today’s fast-paced technology business environment, CISOs face the dual challenge of maintaining robust data security and compliance while fostering innovation. To achieve this balance, it is crucial to integrate security into the design and development life cycle from the outset.
In the telecom sector, operators are increasingly adopting Development, Security, Operations (DevSecOps) processes, which integrate security considerations directly into software builds. This approach enhances security and accelerates the deployment of code into live networks. By closely linking development and operations, DevSecOps enables a faster cycle time for code development and deployment, allowing for smaller, incremental changes. This agility increases innovation, as teams can quickly implement and test new features.
Additionally, adopting the right assurance and certification schemes supports in-life patching, avoiding the need for full re-certification of software products, thus maintaining a continuous flow of innovation and improvement. With automated security testing and analysis capabilities, it will be of critical value to detecting vulnerabilities early and maintaining a consistent security policy.
Additionally, fostering a culture of security awareness among development teams is essential. Training and awareness about security policies and compliance requirements can empower developers to make informed decisions that prioritise security without stifling innovation.
Moreover, adopting a risk-based approach to security allows CISOs to focus resources on the most critical areas, ensuring regulatory compliance while enabling agile development practices. Collaboration between security, development and operations teams is key to creating an effective and secure development environment that supports both speed and innovation.
Mobile telecommunication networks are among the most complex, wide-reaching and long-standing networks in the world. The growing use of cloud security, open-source software and virtualised infrastructure necessitates new skillsets requirements. Comprehensive security guidelines provide CISOs and the wider ecosystem with a structured approach to designing, developing and deploying security best practices throughout an organisation’s technology stack.
Christian Have, CTO, Logpoint
As ransomware and other cyberthreats become more sophisticated and data and cybersecurity regulations expand, security leaders must adopt new strategies not to hinder business agility.
One essential approach is to ensure that the security team works more efficiently. Many security teams struggle with false positives and correlating observations, wasting time they could spend on innovation and detecting real security breaches. CISOs can help by giving the security teams the tools to transition from traditional security models that rely on classical indicators of compromise (IOCs) to a more proactive, behaviour-based detection framework. This shift reduces false positives and allows security teams to respond more effectively, freeing up time to focus on innovation projects, for example.
Automation also plays a crucial role in balancing security with innovation. Automated investigation and incident response mechanisms allow teams to detect and address vulnerabilities quickly without disrupting workflows. Using Security Operations Centers (SOC) or Managed Detection and Response (MDR) services, CISOs with limited resources can streamline incident management and ensure timely responses to threats.
Addressing compliance is another time-consuming aspect, especially with the rise of new regulations such as GDPR, NIS 2 and DORA. CISOs can implement tools that automatically gather the information needed for audits and determining compliance, reducing the manual effort involved. For organisations operating in regions with strict data privacy laws, CISOs must ensure their security strategies respect these local requirements.
This involves choosing cybersecurity tools and solutions that align with national regulations. For example, using cybersecurity platforms that guarantee data storage and processing within specific geographic regions can help organisations meet compliance requirements.
Finally, breaking down silos within organisations is vital for success. Security teams need to collaborate closely with IT operations and risk management to create a unified approach to cybersecurity. This ensures that best practices, such as patch management, network segmentation and Disaster Recovery, are effectively implemented and continuously monitored, supporting both security and operational efficiency.
By adopting advanced detection, automation and stronger internal collaboration, CISOs can maintain robust security and compliance while fostering the speed and innovation essential in modern development environments.
Nick McKenzie, CISO, Bugcrowd
CISOs need to ensure a cross-functional and collaborative approach to validate and control technology assets to Governance Risk and Compliance (GRC), and legal/privacy teams’ internal risk frameworks and regulatory obligation registers. Use of technical integrations and scanning technologies into backend application development/infrastructure pipelines for speedier execution, enforcement and monitoring of any respective compliance to technical controls will ensure nimble business enablement.
Data security and technology compliance should be a ‘constant’ control once it’s understood and implemented. Technical security controls spelt out in UK/EU Directives in NIS, GDPR and UK Data Protection Acts are fairly common, broad and don’t waiver too much in their intentions (e.g. encrypting sensitive data at rest and in transit; ensuring proper access and authentication controls, using data loss tools to prevent loss etc). These should be foundational for CISOs to implement as ‘bonafide standard’ anyway when it comes to any organisation’s ‘secure by design’ blueprints.
However, technology ‘compliance complexity creep’ could play a part from company to company, in line with a company’s business mandate, geographical sprawl, complexity and how regulated they ultimately are.
When country changes are needed, and there is a deviation from Global technology standards, sometimes companies will need to build in-country instances to appease various country-type regulations. Many global financial institutions and regulated Multi-National Companies (MNCs) adopt this model to fulfil and appease in-country business operating licenses. Global and regional technology design blueprints are generally applied and then overlaid with any in-country addendums. This is then managed by in-country CIOs/CISOs or business leaders for large companies, or regional/global leaders for smaller ones. Having such a model shouldn’t dishevel global applications innovation if they are separated, whilst in turn giving the autonomy and testing boundaries needed to operate locally.
Measuring and reporting these data security and internal compliance control obligations back for assessing the requirements is just as important and nirvana is for it to be as fluid and continuous as possible. Leveraging APIs and scanning technologies to automate the configuration management to avoid ‘drift’ of standards is important to look for any rogue, or out-of-policy/compliance development or configuration change.
Given the overlap between compliance obligations and industry risk control frameworks, using GRC tools that map external industry control frameworks such as the NIST CSF that can continuously map controls across other standards (e.g. ISO, SOC) and other compliance obligations is a necessity in any CISO’s toolbox arsenal.
Ed Macnair, CEO, Censornet
CISOs are the frontline defenders of sensitive information. Their primary responsibility is to protect their organisations from data breaches, legal penalties and reputational damage. A single exploited vulnerability can destroy customer relationships, devastate brand value – and in the worst case, threaten the entire business. Given the stakes, strong data security and compliance are essential.
In the last few years, it has become clear that organisations are facing increased interest in the third-party services on which their infrastructure is built. Without the ability to easily identify misconfigurations in cloud services and take corrective action to rectify vulnerabilities, CISOs risk exposure and potential data breaches.
But auditing interconnected cloud environments for compliance is hard work and time intensive. Often, CISOs are bombarded with over 40 alerts an hour – many being irrelevant. What CISOs really need is an easy way to understand the risks they care about. They don’t need their teams trawling through hundreds of compliance alerts, trying to identify which ones to prioritise. CISOs need a personalised take on what risks are most significant for their business, and audit trails that show their organisation is in line with compliance.
Putting in place the right technology to do this frees CISOs to focus on other, more strategic areas. Those that will drive value and impact for the wider business. For instance, their teams can focus on building faster, more effective development and testing processes without sacrificing security. And this is where AI and automation come in. Deployed in the right way, taking an autonomous approach to cybersecurity can significantly reduce the burden on time-poor CISOs and their teams.
For example, automation can facilitate the rapid identification of misconfigurations in cloud services. This speeds up the corrective process to mitigate vulnerabilities and reduces the risk of exposure or a data breach.
AI can also model risk, pinpointing areas where security needs improvement, or vulnerabilities may arise. Furthermore, it can help with the daily grind – compiling, standardising and presenting the information required for compliance processes. This way, staff time is spent on high-impact activities rather than mundane chores.
