Even as data breaches and security events increase, securing your IT systems is still an “elephant in the room”. While CIO’s and other IT management may complain about not enough budget for security work, the real problem is that most non-IT need alot more education about security….otherwise, the CFO and/or others may just expect IT to “handle it” without understanding what it really takes.
My company was fortunate enough to present on IT security at a recent state government legislative study committee. Up for consideration was an expansion of a system and a concern was, of course, security. I was fortunate enough to represent my company to do the presentation. Given that most in the room would not be IT staff, my challenge was to figure out how to make IT security understandable and hopefully compelling. In working through this challenge, we hit on an incredibly important message for any organization. While I started to brainstorm on how to consolidate technical security jargon into something understandable, my colleague reminded me of possibly the most important thing about IT security: It’s less about the technology and more about people.
It is just a fact that most data breaches are caused by human error. It’s not that people are careless, but complex or convoluted business process invite error…and the more human “touches”, the more risk of error. This is pretty straightforward stuff and I’m not even bringing in the traditional “special publication NIST 800-53” stuff. Clearly, real security (not just compliance…but I’ll leave the difference between security and compliance for another post)…real security focuses on not only the technology but also the people and process. So as IT professionals, this must be a call to action to have a company-wide initiative for IT security…not just an IT initiative. If security is only the responsibility of the IT department, systems will never be secure.
Need a way to make it relevant to non-IT folks? Just take a look at a report by the New York Attorney General. Not only was 2013 a record year for data breaches, that year alone cost an estimated $1.37 Billion (that’s with a B)…and that’s only for 1 year…and that’s only New York! Think about his happening in all 50 states and that starts to turn into some real money.
The other part of that report that non-IT folks need to know is that the #1 threat is now hacking. That’s right, criminals actively trying to break down your defenses…and unfortunately, most companies now days have some sensitive information: financial, medical or just identity. So understand that this is never going to end. Just like there will continue to be bank robberies, today is a far cry from the bank robbery heyday of the 1930’s. Why? …its because everyone understood that there needed to be increased security and it was costing more money in robberies than to implement security.
The same should be true today for IT security. Just like banks have many security measures (old school ones like locks and physical separation of people), IT has to get over the “inconvenience” and “expense” of implementing heightened security….and, dare I say it, needs to have frequent and voluntary audits done. No one would trust an accounting system without an audit, why should it be any different for IT?
The last, hopefully compelling, reason to make security everyone’s business is that the stakes are higher now. Just like Target’s CEO resigning over the data breach in his organization, heads will continue to roll when preventable security mistakes are discovered. So really it’s in executives’ best interest to get the whole organization on-board.