One of the biggest priorities in IT this year will be to finally resolve the ongoing debate: Who is responsible for security? Is it the sole responsibility of IT, or is it a business problem? From my point of view, if you don’t think security is part of your job, you become part of the problem. To truly secure the enterprise, security must become central to everyone’s role.
Why is IT security so challenging?
Communication is a big part of the problem. The language of IT is different than the language of the business. Making a case for information security as a broader issue outside of IT is always a challenge. As a preventative measure, we have to weave IT security into the stories we tell across lines of business in order to relate the issues back to the people we are talking to, make it relevant for them, and help them understand what we’re trying to achieve. It’s no small feat, but it is a necessary one. Because if you have a business-wide notion that security is “not my job, it’s an IT job,” it can cause real reputational damage to the company as a whole – not just the IT department – when something goes wrong.
Security is not just an “IT problem”
In truth, there are many possible solutions. But I believe there are three basic steps all companies should be taking this year to get ahead of security risks.
Do a better job explaining the risks: Outside of IT, there is typically a lack of understanding related to the risks of an IT failure. And IT, historically, hasn’t done a great job of explaining the risks in nontechnical, non-frightening ways. The tendency is to jump to the worst case scenario. “If you don’t do this, we’re going to get hacked, and terrible things will happen for our company and customers.”
Instead, it’s much more impactful to focus on the positives of security best practices. “If we develop secure systems that are reliable, we will maintain and even improve our customer image.” These days, you can’t run your business unless IT systems are operational. If a system goes down or has to be taken down due to a security threat, it’s your customers who will suffer the most.
Create a cross-functional team that reports to the top. The other key is to formalize a team and process around security preparedness across the organization. It’s crucial for risk management to work very closely with an auditing department. Ideally, it’s a team that spans the business, rather than operating in different silos, and reports directly into the president or the chief executive of the company. Because at the highest level, they have to be educated on the value and the risks that are associated with IT security and resilience. Otherwise, it’s a budget line item – if they don’t understand it, they’re likely to cut it.
Make security a priority from the start. Finally, you can combat a lot of security issues by implementing and reinforcing a “secure from the start” mentality throughout IT. Applications developers should be trained, incentivized, and rewarded on their ability to develop secure code. There’s a variety of ways you can do this. One example is to make security testing mandatory right alongside functional testing of code. If you’re developing something that has an external component, it should also undergo a penetration test before it goes live.
As an added safety mechanism, you can introduce security best practices at the architecture phase. Doing so will further ensure the inherent design is resilient and secure before application developers even start writing code.
Securing the enterprise is a big job – one that shouldn’t fall on one person’s or one team’s shoulders alone. With a number of unknown security risks sure to come our way in 2017, it will be essential for everyone in the business to take ownership and responsibility for security