A lot of organizations right now, especially corporate boards, are very concerned about security and the never-ending question: “Are you doing enough?” The honest answer to that question is always going to be no. There is always something more you could be doing, because security threats and risks are constantly changing and evolving. But unless your sole responsibility is security, you have to pick and choose your battles and figure out how to prioritize security among your many other tasks as CIO.
It helps to recognize that security is a journey; it’s not a project or task that you'll be able to check off your list in a few months. It’s an ongoing exercise. CIOs must have a constant sense of vigilance, routinely asking, “Where am I potentially weak?” Think in terms of who may want to exploit the environment and how that might happen, and then let that shift your thinking into where you want to focus your security resources.
In putting this approach into practice within my own organization, there are a couple key areas where I've shifted more attention in response to evolving security needs. Lately, I've been spending more time revisiting the fundamental architecture of the way systems have been deployed and installed. We are reflecting on how we have deployed environments and how we have deployed base infrastructure over the past five, six, or seven years to ensure that the framework those systems were installed into fit the new mantra of security today as we look forward into the future.
Another area that I spend a lot of time talking about is the interface between security and the actual consumers of the resource, the employees. Some security measures can look a little heavy-handed to some users, especially those who are more accustomed to operating in an open environment. On the one hand, Premier, being in the healthcare industry, is expected to have a certain level of security measures around things like data loss prevention and SSL inspection. We handle sensitive data—personally identifiable information, patient records. We need to be mindful of who has their hands on that data at all times. And we certainly need to know if anything traversing our network ever even comes close to looking like a record of a patient.
On the other hand, for those people on the network who are accustomed to operating in a free “everything is open, and everything is allowable” environment, we need to take the time to explain the business reasoning and value of our approach, or they may themselves become the security risk. I've found myself spending more and more time educating users and helping them understand why we are making certain technology choices, and why we’re choosing to implement technology in specific ways, so that they understand the need of the business.
For example, we use a URL filtering vendor to prevent users on our network from visiting sites that have been known to host malicious content, like adware or phishing. It's a somewhat imperfect technology. Meaning, what's legitimate in one person's mind – perhaps even a website that they use all the time – may look to the technology like an untrusted site. And we occasionally bump into situations where the tool has misidentified a website and blocked users from a secure site.
In both of these scenarios, we want to make it clear that we are not blocking employees for the sake of blocking, or tracking every move they make online. We're using that technology because it's the expectation of a business that operates in the field we do, and keeping a close eye on the data is what's most important to the company. The ability to handle those conversations well and use them as educational moments sets the tone of how your company’s security policy is viewed and internalized by your employees.
ALSO READ
- Increase data security by making it more accessible
- Enterprise security is everyone's responsibility
Randy Franklin is currently VP-CIO of Premier Healthcare Alliance, a Group Purchasing Organization and Healthcare Informatics company headquartered in Charlotte, NC. Randy is responsible for infrastructure, service delivery, security operations and enterprise applications at premier and has been in IT for over 15 years, spending the majority of his career in the data center hosting and managed services domain. Randy has Bachelors and Masters degrees in Mechanical Engineering from North Carolina State University. Randy resides in Charlotte, NC with his wife and two children.