A consultant recently concluded that some items in his office would be best stored in a small safe. He carefully considered the likely contents, his security concerns, and access requirements. He decided that a safe on the floor would be inconvenient and that installing a wall safe was not practical. The best option for his business was to bolt a small safe to a sturdy bookshelf behind his desk. He measured the shelf and contacted a locksmith at a major safe retailer.
The locksmith’s reply typified the strained relationship between users and security. It read, “The problem you are having is that you have picked a space for your safe without considering that a 10½-inch depth does not exist. My suggestion is to find a safe that will meet your needs and then find a place to put it.” Instead of providing a safe that fits the office, the locksmith essentially suggested that the customer make his office fit the safe.
In the cybersecurity realm, similar scenarios play out every day. Security professionals are asked to manage risk, and in many cases they are held responsible for the organization’s security posture. They often work with limited budgets and sometimes don’t have the right tools. To reduce risk, they frequently seek to change the business.
The rest of the business, on the other hand, just wants security solutions that fit. Software developers seldom want to change their designs, networking groups prefer their existing network architecture, and there is general resistance to changing business processes that currently work. Even today, in the wake of massive security breaches, many IT professionals still view security requirements as an obstacle and falsely believe that cybersecurity controls can simply be added to existing systems. The sad reality in many organizations is that the relationship between security and other IT functions remains adversarial.
There are many things that can be done to improve this relationship. Security teams can adopt a collaborative approach with their IT counterparts through consultative and educational efforts. IT management can strive to include security representatives at all stages of the system development lifecycle. However, the real source of this conflict usually originates in the C-suite and ultimately needs to be resolved there.
Information security professionals bring a variety of skills to the table. To fully leverage those skills, organizations must position their IT Security team as subject matter experts who consult to the rest of the company. The team should be responsible for assessing risk, communicating it to the appropriate stakeholders, and providing advice on risk mitigation. They should be involved in every service and system development project.
All risk, including security-related risk, should be owned by the relevant line of business. A senior manager or executive should be identified as the owner of every system, and that individual should be held accountable for all risk related to the operation of the system, including security.
Many organizations rely on information security risk assessments to support larger corporate security or risk management programs. While this information is important, requiring system owners to formally acknowledge risk assessments should form part of corporate audit and risk management processes. Rather than placing IT security staff in a security enforcement role, make them resources who provide advice, guidance, and risk assessments to the system owners.
This approach represents a significant change for many organizations and will face resistance. System owners are in the best position to ensure that engineering, software development, database, operating system, networking, security, and other required disciplines are brought together to maximize business value and improve security. By adopting this approach, executive management has the opportunity to reduce conflict, improve security, and strengthen accountability.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…