Five Hard Truths About Critical Infrastructure Protection
Communication and education may be the most important elements to improving network security. After all, the more your employees know about the types of threats out there and the tactics the bad guys are using, the more secure the network will be (in theory, anyway).
But if the lack of communication and collaboration stems directly from the group that is responsible for security, then you might as well put out the welcome mat for hackers and other bad guys. A recent Ponemon study found that a third of IT and security professionals don’t communicate with management about security unless they absolutely have to, and another quarter will have security discussions with company leaders only once a year.
I recently had the chance to get some feedback on this issue from a couple of security experts: Barry Shteiman, director of Security Strategy with Imperva and Renee Bradshaw, senior solutions manager with NetIQ.
The collaboration breakdown often stems from how security is viewed within the company. There is a misconception of security’s effect on the business’s bottom line, that somehow security prohibits productivity. There is also a question on where the responsibility lies, especially as so much data is being stored or accessed in the cloud or on personally owned devices. When there are so many mixed signals about security, the only ones who benefit are bad guys. As Bradshaw told me:
The lack of collaboration between the IT security team and the rest of the business represents a gaping hole in the protection of sensitive organizational assets. At the root of every single data breach is a human being. The inability of organizations to accept this fact is the cause of every breach – whether it be accidental, or the work of a hacker. When departments do not work collaboratively to understand user behavior occurring within the perimeter, breaches will happen.
Good communication and collaboration increases the visibility of the security plan, both Bradshaw and Shteiman said, and in turn, the better visibility offers an additional layer of network security. Said Shteiman:
When the security department is communicating with the rest of the company, awareness increases and internal business unit owners take the security element into consideration. However, this practice has to be a two-way street, meaning that the security department must provide reports and data points to the business owners so they know what service they are getting from the security department, as well as allowing them to detect things that the security officer can’t because he/she does not always understand the business process that leads to an action with data.
Finally, the security folks have got to do a better job at engaging the executive staff to both support and implement better security practices. Again from Shteiman:
I find that C-level folks listen best when a budget is involved. It is important for the security officer to demonstrate how they either help save money or make money for the company. If breach prevention is on the table, then the security officer must demonstrate to the C-level what is the cost and impact on the business. A good example will be for the security officer to demonstrate to the CMO the cost of brand hit and business lost if the website goes down because of a DDoS attack. Once the CMO understands the impact in terms he is familiar with (i.e., numbers/financials/money), there is a greater likelihood that the security officer will get the collaboration, and perhaps the budget, he/she needs.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba
