For security education: Avoid scare tactics, focus on value

585 readers like this.
CIO Security

The importance of sharing cyber risk with the business came home to me on a personal level given the recent hack at a hospitality industry leader. From what I’ve been able to determine, the problem began in a legacy payment processing system the company still operated. Should the gateway for that system have been eliminated and replaced? Hindsight is 20/20, but the answer is clearly yes.
 
Now here we are several months later, and there is plenty of cost to bear. The company’s stock is down 20 percent. What’s just as dismaying is that the response at this – and at many other companies – to such catastrophes, even in IT, runs along the lines of, “Well, the security people should just do their jobs.” In the business, it’s more often something like, “Well, the security solution is too complicated for people to use.”

Security as opportunity

This security nonchalance is the heart of the issue. And until everybody in a company has security as part of their job spec, it won’t be taken seriously. Making this a reality is trickier, of course. It also speaks to the primary educational role of IT in a company. As IT executives and managers, the onus is on us to educate people on what IT can do and what it can’t do. The only bit of IT a lot of people are really familiar with is their iPhone or their iPad, and they therefore perceive everything as being as simple as those things. In practice, behind the covers, that isn’t the case.

It’s also a challenge because security is just like insurance. Nobody needs insurance until you have something that would be covered by insurance. I have always found that one of the most demanding issues is how to get people’s attention without scaring them. If you lead too much this way, IT sounds like "The Department of No," which happens to be one of the instigators of shadow IT. And no vendor is going to come in saying, “Oh, I’ve got this solution, and it’s not quite safe, but it is about 98 percent secure.” It extends to development as well.

DevOps really needs to renamed SecDevOps. DevOps is the concept that development and operations work together to come up with rapidly deployable solutions that can still go into production. I think you’ve got to put the Sec on there as well because not only do you have to develop it quickly and for it to be usable, but it has to be secure.

I try to position security as a benefit or an architecture that promotes flexibility and accountability. By flexibility, I mean in terms of the constant acquisition and reorganization mode companies are in, be it airlines or hotels or whatever. If you build things as contained entities where you share development across the entities but allow each entity to operate in its own world, then that gives the business the flexibility to reorganize as business needs change, without incurring IT costs in the process. Oh, and by the way, as an added benefit, you also increase your security. So security adds flexibility. It adds speed. And in many cases it will actually also reduce cost. Presenting things like security that people understand as a potential benefit to the business is obviously far more palatable than trying to frighten them.

Cliff has held a variety of roles with major global corporations including Barclays, M&M Mars, Diageo, Northwest Airlines and Hyatt Hotels & Resorts. These roles have spanned application design and development; infrastructure architecture and operations; and information security.