Security is Not an IT Problem
17 January 2018 | 10:22 am
Over the past 12 + years working as an Information Security (now known as Cyber Security) consultant, I saw too many situations where security was not implemented because the business thought that the IT department or Information Security (InfoSec) department could and would take care of it for them.
Before we go further let me define two things; 1) InfoSec is often a separate department from IT, especially in larger organizations, and 2) when I say “the business” I mean any part of the organization that is not IT or InfoSec.
The business is typically the groups that are directly related to the product you sell or the service you offer (sales, marketing, the call center, business users, etc.). They handle customer or sensitive data to do their job, they talk directly with the customer or client, or they directly support the organization (HR and accounting for example). These are the folks I am calling “the business.”
If you are a non-technical executive or business leader you might think that implementing security is the job of IT or InfoSec, however what we are going to talk about today is that if you want your organization to be secure and your data to remain your data, it’s time to look at this very differently.
It is very common for the business to think about security or bring the project to InfoSec right before they are ready to deploy a new system. Sometimes only because security got a “whiff” of the project or the project team looked at a security checklist and said “oh we should run this by security” and then ask, “Is this secure?” or “Can you make it secure?”
The problem with the scenario I just described is that it puts the cart before the horse. The cart being the business project or system that has been built and the horse being security.
It would be like building a bank and the week before it opens saying, “We should put in a vault, some locks, cameras, and ensure that we don’t get robbed, can we do that now?”
In my experience many business projects are implemented to automate a process or make something easier, faster, or better for the business user or customers. A call center rep looking up information for a customer or processing a transaction, providing customers the ability to pay online, or an automated time and attendance systems are all examples of a business initiated project that deals with a lot of sensitive data that needs to be protected.
Without security, these new systems might lead you to hand over the crown jewels of your organization, whether it is intellectual property or customer data, without you realizing it. Therefore let’s look at why security must start with the business and the reason IT or even the Information Security department can’t do it for you.
First and foremost, the business decides what data they need – if you are collecting information from customers, suppliers, partners, the government, or anyone for that matter; it is the business who determines what and how much data they need to get the job done and/or provide a service. IT or InfoSec never dictate the type of data a business user collects or how long it must be retained. The IT department supports the collection and storage of the data after the business determines what they need. IT can support security requirements through technical mechanisms to protect the data, but only if they know where the data is that needs to be secured.
It is the business who decides how they collect the data – do they want it to come in via website, call center, fax, mail, etc. The business determines the process flow to collect the data. IT or InfoSec does not say how data should be collected. IT can enable the data to be collected via technical means, but it is the business who makes the ultimate decision on how they want to collect it. IT cannot help secure a business process they don’t know about or have not been told contains sensitive data.
It is even the business that decides who has access to the data – which employees need to access the data in order to process orders, fulfill customer requests, service contracts, etc., and what level of access they need to do that job. IT may create the accounts, but they do not dictate who gets access to which types of data. Limiting access to data and administrative permissions is a key in basic security, which IT will gladly support.
The business also decides how long they need access to the data. Often what we see when there is a data breach is that there was a great amount of data available to the hacker because the business decided to keep sensitive data much longer than necessary. IT can help purge and remove data when they are told by the business what the data retention requirements are.
Lastly it is the business who decides what data is shared with external third parties and often the security of the third parties is not known or checked. InfoSec is a great resource for helping to validate the security of a third party, but they can only do this when they know who the business is sending sensitive data to.
All of these business decisions get fleshed out when they are developing their business and user requirements, often times in a vacuum without any insight or consulting by IT or InfoSec. Then they create system requirements for the developers who make their vision a reality, but if they have not included security requirements in their system requirements they will often get missed. That is because developers and IT staff who make all of the technical stuff possible are not often security professionals, they are IT professionals.
Just because someone is in IT does not mean they think about security. It’s like going to a general practitioner doctor and assume they are thinking about nutrition, you often need a specialist to discuss what to eat for your specific goals. The IT department is responsible for keeping servers and desktops running, making sure there are no network outages, that databases are available and connected to applications, that systems are developed to work as requested by the business, and that the technology is available when a user needs it.
Security is different because in many cases good security makes access harder and impedes the business and the IT users. It often means the IT folks have to document more and it can take longer to implement server configurations. Security is done by security professionals, who often have IT backgrounds, but are not typically your IT staff.
All of this shows you why discussing security has to start with the business and why the executives making business decisions need to include IT and InfoSec in the discussion from the very beginning. Security must be included throughout the lifecycle of any business or IT project, but all too often is left out of the planning and the cart is ready to go with no horse in sight.
If you have questions or don’t have a Chief Information Security Officer to help bridge the discussions between the business and IT with a security perspective, email firstname.lastname@example.org to discuss your challenges and virtual CISO services that are designed to help small and medium size organizations maintain their security posture.