Ask Why You Care About Security

Recently, I had a conversation with a senior executive at a company about the firm's information security. The conversation, like others I have had, revolved around a sudden increase in interest in that security.

To be clear, we are not talking privacy settings on Facebook (use them) or whether or not Snapchat pictures and messages really disappear (they don't). These people are seriously concerned about loss of data due either to security breach by bad actors targeting the company, or simple loss of data due to employee errors. How really safe is the business information stored on servers, cloud providers and employee laptops?

People see the Target breach, the US Central Command Twitter account hack, the JPMC breach, the Sony breach, an unending list, and wonder, "am I next?" To their credit, even smaller providers, ones without all of the financial and payment information (Target, JPMC), national security implications (US Central Command) or brand name impact (Sony, Target), are recognizing that they are targets and are at risk.

While I always commend executives for taking information security seriously, it is important to understand why the company has a renewed focus on security, so we can understand:

  • What are we concerned about?
  • How urgent is it?
  • Who should lead and own it inside the company, and who needs to participate?
  • How much should we invest?

There are two broad categories of reasons why someone would care about their information security: internal and external.

Internal

Internal motivators are those that cause you to look at your information security for internal business reasons:

  • You want to reduce the probability of loss or exposure of information or services;
  • You want to mitigate the impact in case of such loss or exposure.

While these can be driven by the business side, the CIO/CTO/CISO (if you have one) will be the primary owner of this kind of information security review, as well as the follow-on policies leading to process and technology implementation.

While any information security policy requires head of technology participation, it can be very difficult to get anywhere without his or her active participation and sponsorship when the motivators are internal.

The benefits of internal motivators are two-fold. First, no certification is required, keeping costs lower. If you care about protecting your data for your own reasons, you do not need any kind of outside body to certify you. Nevertheless, it may be helpful to have that certification to keep you on the "straight and narrow" year after year, when temptations to slip and underinvest grow. Second, internal security motivators, like intrinsic psychology motivators, tend to lead to greater desire by employees to participate with changes. After all, we came up with this ourselves and we are doing it!

External

External motivators are those that impel you to review your information security because of market impact. This comes from one of two areas:

  • You have customers who insist on reviewing your policies and procedures, or even seeing certain certifications;
  • You need certifications for market value; it is easier to sell with these in hand.

Good examples include PCI and HIPAA. If you want to handle credit card transactions but do not have PCI compliance, do not expect any serious customer to give you business; they simply will not. Similarly, if you handle health care data, you must have HIPAA if you expect to get any business.

External motivators' downside is that they can be more expensive and sometimes even frustrating to implement. Your information security guru, whether internal or consultant, may know more than your auditors about the risks, and can find himself or herself trying to convince an auditor that, no, that extra $1MM in spend to mitigate a certain risk is completely unnecessary, since the specific network they want you to mitigate has nothing to do, absolute zero connections, with the secure network!

I dealt with this precise situation at two clients who totally isolated their production network from their corporate IT network, but the auditor still wanted to impose PCI controls on the corporate IT network, at very high cost and disruption to the business! We did, eventually, get the auditor to relent, but the process was frustrating for all parties.

The benefit to external motivators is that the impetus does not come from IT, and, in the case of an "old-school" internally-focused technology lead, can be imposed on him or her. While it is always better to have a CTO/CIO who sees the business first and technology as just a tool to service that business, and thus builds partnerships and alliances with the revenue generator, not all businesses are so blessed. External motivators provide an ability to jumpstart the process from the business side.

Getting Everyone on Board

To successfully perform an information security review and come up with a plan, including which certifications, if any, you need:

  1. Understand why you are performing the review - external motivators, internal, or both.
  2. What certifications you need and why
  3. How to bring all parties - business and technology - on board for the process

When I have had the opportunity to work one-on-one and bring contrary parties together in partnership, the process - not just for information security but for any project - has been  a pleasure for me and a real success for the business.