Last week I had an opportunity to moderate an extremely impressive panel of security officers at the Argyle Chief Information Security Officer (CISO) Leadership Forum in Chicago, IL. The panel topic was managing the “Balancing Act” between security and the business. Our panelists included representatives from the security teams of global defense contractors, financial services organizations, and manufacturing companies. All of these organizations and their security teams operate their businesses around the world, and have responsibilities to protect not only employee data and company trade secrets, but also data from their business partners and customers. Together, we discussed best practices in finding the balance between enabling the business and ensuring it is resistant to security vulnerabilities.
We explored the evolving role of the security team and security methodologies in increasingly interconnected global businesses. Historically, more “traditional” security models were focused on “perimeter-based security” where security officers focused their efforts on building walls to keep information “in” and keep adversaries “out”. That approach has become increasingly difficult to maintain in a business landscape with transparent boundaries. For example, traditional data loss prevention alone will have limited value in helping you understand how to measure and prioritize risk associated with assets you are trying to manage and protect without further insight into the data itself. If you build a “ten foot wall”, then your “attackers” will come with an “eleven foot ladder”, forcing you to build a “twelve foot wall” in a battle that continues endlessly. Further, how to you build a wall around information when that information is no longer maintained in a central system (or “the castle”) but rather flows through different systems – such as Microsoft SharePoint, file shares, and social platforms – accessed by people with different roles and across different devices?
The new approach our panel discussed was the idea of focusing on the specific data you actually need to protect. What do you consider to be your “crown jewels” when it comes to business data? Do you need to put the same level of effort toward protecting pictures from the company picnic as you do for protecting your customer data or trade secrets? Data-aware security policies provide an opportunity for organizations to build a more layered approach to security, prioritizing where efforts (and costs) should be spent and building multiple lines of defense.
Further, making it easier for your employees to do their job successfully while building a more secure environment includes implementing a culture and technology systems where privacy and security controls are not limited to “once a year” training sessions. Instead, it’s important to have an ever present “culture of compliance” where it is easier for your employees to do the right thing than not. Companies must create a transparent security organization to discourage employees from working around security parameters.
Finally, we discussed a new paradigm in which security might answer every employee “ask” with the answer “yes.”For example, when an employee asks if they are able to do something, such as setting up a site to collaborate with peers, security would say yes but also tell them what will need to be put in place in order to make it happen. By creating a culture of “yes” where security is seen as an enabler to the business rather than as a bottleneck, we believe that organizations will be able to transform their end users from the greatest vulnerability to a volunteer security team.
Overall, the panel and the event provided a great opportunity to explore ways that organizations across many industries are working to ensure that their customers, constituents, employees, and data are protected while enabling the business to be more productive than ever before. To learn how AvePoint helps address these challenges, please visit our website.