Security – Whose Job?
In the wake of revelations of the sale of enormous amounts of personal information by Facebook to Cambridge Analytica, I’ve read numerous posts and articles about privacy and security. In this post, I want to discuss organizational security – mostly, but not entirely, from an IT perspective.
Almost all organizations have some IT/Internet security, and those that are not very small have a dedicated person or a group whose responsibilities include making sure that their network and the data within that network (I’m including “cloud” storage as being within the network) is secure.
Similarly, most organizations have someone who is responsible for physical (traditional) security. One of the questions I’ve seen discussed concerns the overlap, if any, between these two functions – physical and cyber security. At first glance, there would seem to be little if any overlap – until we start to pull on that thread a little bit.
I’ve posted before on the Internet of Things (IoT) and the risks/dangers associated therewith. While the producers of network-enabled components and systems (and their clients) are becoming more security conscious, a significant fraction of IoT-enabled devices do not incorporate state-of-the-art security (and the majority of devices delivered in prior years are similarly deficient).
What this means for the traditional security professionals is that many of the security devices that have been installed (e.g. remote cameras and WiFi-enabled locks or doors) are at risk from hackers. Analogously, the IT professionals who worry about cyber security also need physical security to protect the integrity of their internal servers, routers and networks. As leaders, it may not seem to make any difference whether the IT guys or the security guys are ultimately responsible for cyber-security.
However, the cyber skills needed to keep your entire IT structure up and humming are not necessarily completely (or even mostly) congruent with the skills needed to ensure a secure cyber environment. The argument can easily be made that there are advantages to having your (traditional) security organization assume cyber-security responsibilities (and there are arguments against it too). I think that the big argument for such a division of responsibilities is that the checkers (security) are not the same people as the implementers (IT). That means, at least to me, that there will be an organizational barrier to groupthink or any inadvertent or unintentional failure to exercise critical review (that’s the “we did it, so we know it’s right.”).
At the same time, there is basic knowledge that the cyber-security guys need and that the IT guys also need. Splitting the two will entail some level of duplication (or perhaps a failure to maximize efficiency).
The point here is that security needs to be treated seriously, and, as leaders, we need to decide whether our organization will benefit more from aligning cyber security with traditional, physical security or with the IT professionals.
BTW, it will remain important, independent of your decision on organizational structure or alignment, to educate your entire workforce on cyber security and to implement policies that make that security effective and un-burdensome. Next week, social media and security.
Thoughts?
Related: Participate in the 3rd Edition IT Resiliency Planning Assessment Study
What are the current trends in IT Resiliency Planning and how are the most mature programs achieving success? This study compiles information from IT professionals around the globe and facilitates data-driven crisis management.
The Firestorm Analytical Solutions IT Resiliency Planning Assessment Study is used to assess how organizations are approaching their IT/DR/Resiliency programs. The study is now open for participation and will close May 25, 2018.
Who should participate?
• Participants must be responsible for contingency/resiliency planning.
• Study accommodates planners to global manager
• Study does not accommodate professionals who provide consulting services.
Why participate?
• Study participants will receive a complimentary copy of the study findings.
• Study questions and assessment of data is completed by an International Benchmarking Advisory Board
• The response is immense, driven by the value the results provide.
• The scope is world-wide, due to extensive contacts and partnerships.
• The company is independent, neutral party and completely confidential – individual contact and company information is never shared outside of Firestorm.
“What should we do now?” “What should we say?”