One of the biggest priorities in IT this year will be to finally resolve the ongoing debate: Who is responsible for security? Is it the sole responsibility of IT, the CISO’s job, or is it a business problem? From my point of view, if you don’t think security is part of your job, you become part of the problem. To truly secure the enterprise, security must become central to everyone’s role.
I like to relate this issue to driving. When you’re on the road, your job is to drive the car. However, it doesn’t matter how good you are at your job – you could be the best driver in the world. But if you’re not paying attention to what’s going on around you, you are likely to have an accident.
The same can be said for any job, whether you are running a restaurant, checking people in at the airport, or running an accounts department. If you’re not paying attention and being careful, then you’re going to run into a safety or security problem – someone will get hurt; something will get broken. In the case of information security, this is how the bad guys get in or data loss accidents happen.
Why is IT security so challenging?
Communication is a big part of the problem. The language of IT is different than the language of the business. Making a case for information security as a broader issue outside of IT is always a challenge. As a preventative measure, we have to weave IT security into the stories we tell across lines of business in order to relate the issues back to the people we are talking to, make it relevant for them, and help them understand what we’re trying to achieve. It’s no small feat, but it is a necessary one. Because if you have a business-wide notion that security is “not my job, it’s an IT job,” it can cause real reputational damage to the company as a whole – not just the IT department – when something goes wrong.
Of course, compounding the challenge is the fact that IT people, in general, are under a lot of pressure. Security doesn’t always make it to the top of their priority list for the day. There is an opportunity in educating applications developers, predominantly, because they tend to be the gatekeepers of system security. But they are under such intense pressure to deliver business functionality, that security often takes a backseat.
Security is not just an "IT problem"
In truth, there are many possible solutions. But I believe there are three basic steps all companies should be taking this year to get ahead of security risks.
Do a better job explaining the risks: Outside of IT, there is typically a lack of understanding related to the risks of an IT failure. And IT, historically, hasn’t done a great job of explaining the risks in nontechnical, non-frightening ways. The tendency is to jump to the worst case scenario. “If you don’t do this, we’re going to get hacked, and terrible things will happen for our company and customers.”
Instead, it’s much more impactful to focus on the positives of security best practices. “If we develop secure systems that are reliable, we will maintain and even improve our customer image.” These days, you can’t run your business unless IT systems are operational. If a system goes down or has to be taken down due to a security threat, it’s your customers who will suffer the most.
I recently took a short cruise to the Bahamas. After a trip to Nassau, it took over an hour for guests to re-board the boat. I was fuming and looking for answers when I got to the top of the gangway, only to be told, “it was an IT problem.”
As it turned out, the system that tied ID cards to cruise passengers had gone down, and they didn’t have a backup plan. For the cruise line, it was indeed a security risk, but that wasn’t the worst part for the company. Due to their lack of planning, and lack of understanding around the impact of a major IT outage, they’ve lost at least one customer – most likely more.
For me, this experience underscored the importance of framing security and IT resilience as a business problem. Those in IT need to do a better of job of pitching it as a way of enhancing the customer experience and improving customer loyalty versus resorting to scare tactics.
Create a cross-functional team that reports to the top. The other key is to formalize a team and process around security preparedness across the organization. It’s crucial for risk management to work very closely with an auditing department. Ideally, it’s a team that spans the business, rather than operating in different silos, and reports directly into the president or the chief executive of the company. Because at the highest level, they have to be educated on the value and the risks that are associated with IT security and resilience. Otherwise, it’s a budget line item – if they don’t understand it, they’re likely to cut it.
Make security a priority from the start. Finally, you can combat a lot of security issues by implementing and reinforcing a “secure from the start” mentality throughout IT. Applications developers should be trained, incentivized, and rewarded on their ability to develop secure code. There’s a variety of ways you can do this. One example is to make security testing mandatory right alongside functional testing of code. If you’re developing something that has an external component, it should also undergo a penetration test before it goes live.
As an added safety mechanism, you can introduce security best practices at the architecture phase. Doing so will further ensure the inherent design is resilient and secure before application developers even start writing code. It’s worth noting that a “secure from the start” mandate should come from the CIO. If the CIO is only focused on delivering systems on time, security will continually slip in priority. But if securely architecting, building, and testing resilient systems is a CIO’s criteria for success, then that’s what will get delivered.
Securing the enterprise is a big job – one that shouldn’t fall on one person’s or one team’s shoulders alone. With a number of unknown security risks sure to come our way in 2017, it will be essential for everyone in the business to take ownership and responsibility for security – and the CIO can play a critical role in steering the ship.