As I’ve mentioned lately, cybersecurity is dependent on humans. Much of that revolves around human behavior and how cybercriminals prey on our mistakes, laziness, and dedication to multi-tasking. Yet, there are other areas where humans directly affect cybersecurity; one is communication.
I sat in on a session at the Enfuse 2017 conference called “Can I Get a Translation?” The discussion centered around the need for legal departments and the IT or security teams to speak the same language when talking about cybersecurity.
One of the problems is that IT and legal have different interests, the panel explained. Legal, for example, is looking for potential smoking guns in the data, but that’s not IT or the security team’s goal. But if that data isn’t stored or protected correctly, you know which department is going to get blamed, right? IT is charged with keeping the network up and running. The security team is supposed to make sure the network and the data accessed through that network is safe. The legal team is charged with protecting the overall business. There are different values on company assets; what legal sees as very important may not be the same assets that IT values most.
Of course, when everyone practices good cybersecurity, all of those objectives are met. So what is at play here?
One issue is that tech professionals and lawyers have different definitions of the same situation. Using the standoff between Apple and the FBI over hacking the San Bernardino shooter’s phone, Lawfare shared this example of that difference:
Lawyers and technologists mean different things when they say the word “privacy.” For American lawyers, privacy begins with Louis D. Brandeis. Privacy is the “right to be let alone.” . . . For technologists, privacy means the ability to have a secure conversation. . . . There is no wiggle room; a system is either secure or it is broken.
If we can’t define privacy the same way, it is difficult to provide the right security for information.
And as someone sitting in on the session mentioned, even moving to a new server can present different challenges for different departments. What IT sees as a routine equipment upgrade turns into potential compliance breaches for legal.
How do we get everyone speaking the same language about cybersecurity? First, it begins with giving the security team a voice at the executive level. If your CFO or COO is reporting directly to the CEO, then so should the CIO, CISO, and CTO, but this isn’t always the case. Second, create a singular standard for asset value. As InfoSecurity stated:
cybersecurity professionals must first focus on identifying the most valued information assets, those that could cause the most damage if compromised, and then apply the risk equation. They should look at the threats to their most valued assets, identify associated vulnerabilities, determine the probability of those two meeting, the impact the compromise would have, and apply their cybersecurity resources accordingly.
But they can’t identify the most valued assets without input from other departments. That goes back to communication and different groups having a place at the table. Thirdly, there needs to be a security incident response team that includes people from IT, the security team, legal, marketing, etc. If this team is meeting regularly, they can begin to break down the language barriers to be on the same page to both work on protecting data and on how to react in a post incident situation.
It certainly won’t be easy to bridge the language barriers when it comes to cybersecurity but when communication improves, so does the network’s overall security.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba