Turn the Risk Management Paradigm On Its Head

Security policies don’t appear out of thin air. They develop over time, in response to new threats, changing regulations, or after a dose of hard-earned experience. The rules and practices we use to enforce policies don’t just magically appear either. Quite the opposite – many organizations dedicate staff to managing the rules needed to implement policy. These rules, taken together, explicitly define how your organization manages risk.

But effective risk management is still a struggle. The problem lies in how we’ve defined the task, and with the technologies we use to do it:

  • Rules-based approaches evaluate risk in isolation. A DLP product, for example, processes files like a firewall processes packets. A file arrives, DLP evaluates it in isolation using a pre-defined set of rules, and then decides whether to allow it through.
  • You can’t think of everything. Try as you might, it’s not possible for foresee if a rule will correctly evaluate each file. Even if you could write the perfect rule, there’s still no way to know how the business (or the world) will change tomorrow.
  • The tight/loose question. Should you create a “tight” rule that erroneously blocks legitimate traffic or a “loose” rule that might let sensitive information escape? It’s a tough tradeoff between user productivity and data security.

So far, I’ve focused on explicit security policies and how organizations define and enforce them. But organizations have implicit policies too. A few examples will show what I mean:

  • Your legal team works with a mix of confidential contracts and more mundane documents. They share, store, and mark these documents differently.
  • Engineering creates proprietary source code and sensitive product plans. Both types of documents are sensitive, but they’re used and accessed by different people in very different ways.
  • An advisory group within a large bank creates materials for its corporate clients that are used by only a small team at the bank.

In each case these files, collectively, define an implicit risk management approach that all similar files follow – even if you haven’t consciously defined a policy. If we can uncover these implicit policies, we can turn the traditional risk management paradigm on its head: instead of trying to figure out rules that apply to every file, the file groups themselves can define how we manage risk for similar files.

Two elements have to be in place for this to work. First, we need to accurately group files in a way that’s highly correlated to the risk these files represent. Second, we need a way to spot file outliers (either existing or newly created) that don’t conform to the group’s security profile.


Essentially, this crowd sources risk management. Except in this case, the “crowd” isn’t a group of smart people – it’s a group of similar files. Recent artificial intelligence capabilities make a crowd-sourced security model possible. Concentric’s Semantic Intelligence solution uses deep learning to autonomously group files into clusters (like contracts, source code, or client reports) and then compare each individual file with its peers. It’s a powerful new approach to data security that delivers better results without rules, regex, or end-user involvement.


Share on twitter
Share on linkedin