Own a Company? Why You Shouldn’t Just Leave IT Security Decisions to Your IT Team
Let me start by stating that your IT Team is crucial when deciding on and implementing an IT security strategy. This blog is not focused on downplaying or marginalizing their role.
IT security (like fire prevention and employee safety) is a risk mitigation process. Some requirements are mandated through regulation or code, other requirements are elective and are deemed important by the decision makers in an organization. Any risk mitigation activity is generally addressed and approved by a group or committee, and the group is generally comprised of a cross-section of individuals with unique talents, interests, and responsibilities that will form a cohesive plan to protect their organization.
It’s my opinion that IT security needs to be addressed in this manner. The IT engineers clearly understand the threat vectors and technical aspects of security, but security policy also needs to reflect the potential business and economic impacts. This can only happen when other key decision makers outside of the IT department are actively involved.
Security Models to Avoid
Over the last 30 years I’ve been witness to countless security models. The vast majority of organizations took one of several less-than-optimal approaches. Here are a few courses of action that were less than effective for organizations:
Subscribed to the “Necessary Evil” Approach
In this case, management knew they had to do something, so they bought Anti-Virus and a basic firewall. There was little care to the setup, and it was often “fire and forget”, meaning once it was turned on, it was rarely revisited. They spent the league minimum, considered it a lost purchase, used it to appease the bankers or the board, and had it close to the bottom in terms of their budget priority. There was little to no understanding if it truly protected any element of their business.
Turned it over to IT
This was similar to the “necessary evil” approach, but here IT has some understanding of risk and exposure. The problem arises from having no executive sponsors for a true strategy. Also, IT was forced to beg for budget and forced to fit security into a “Total Cost of Ownership” or “Return on Investment” budget model. Anyone that understands a risk mitigation process knows that it’s unlikely that security costs are going to fit a financial model.
When you purchase property insurance, for example, do you do so expecting some type of return? The obvious answer is no; we purchase insurance to offset our financial losses in the event something bad happens like a storm or a fire.
How is IT going to cost justify security?
Responded After a Security Breach
After a breach, management really takes notice and wants to get involved. We hear demands for “root cause analysis”, “economic impact assessments”, and a host of other serious sounding assessments. The blame game is alive and well, and it’s usually IT that is in the crosshairs. If the breach is serious enough, there will be at least on sacrificial lamb. The sad part is that once the initial sting from the event has subsided, more times than not the business will return to exactly the same approach to security that left them vulnerable prior to the event. They may spend a few dollars for another tool, but management’s attention quickly diverts to other topics.
Remote Work Creates New Security Risks
So, why is it important to bring up security again? The world pandemic has been massively disruptive to the way business gets done. Significant new risks have arisen as we change where and how our workforce operates. Remote work is an imperative, often mandated by governments. Organizations are shortcutting best practices in order to comply and stay in business. Management is finally taking notice of the potential threats due to the massive increase in successful attacks that are broadcast by the media. Gartner has an excellent article that addresses the concerns about cyber-security.
Creating a Comprehensive IT Security Model
A comprehensive IT security model cannot be just an amalgam of several tools. It must be addressed holistically. Security needs to incorporate protecting your most significant assets. That can be banking and finance, supply chain, customer information, intellectual property, manufacturing, and up-stream/down-stream relationships. Your IT department may be sharp, but do you honestly believe they understand all these other business elements? They can help secure them, but how will they know priorities and potential impacts?
The only way to comprehensively address IT security is to get the rest of the organization involved. Organizations that successfully address security have used a risk management model. They,
- Create a security team that includes a line of business leaders representing HR, Finance, Operations, Legal, Production, and IT.
- Build or find a system to help them catalog assets, exposure, risk, likelihood of attack, and impacts of attack. Most importantly, they revisit this frequently and adjust accordingly.
- Treat IT security as an ongoing priority to protect the organization, its clients, employees, and vendors.
Threats and attacks are no longer limited to just the “big” organizations. The sophistication of attacks from the bad actors of the world are now being seen in even the smallest companies.
The approach outlined above can be easily scaled to fit any group. The most important element of any strategy is the willingness and energy to make it a long-term objective.
Tim Krueger, PEI