By Amit Sharma, CenturyLink IT Security Advisor
IT Security is not novel. Security concerns are ubiquitous. Yet, it’s the very breadth and depth of IT security that makes it challenging for business managers. There’s a mind-numbing amount of information out there about the very topic. In this post, we will focus on a few simple ideas that will keep you on top of IT security discussions from the perspective of business leadership and outcomes.
The top 3 things I need to know about security.
- The goal is resilience, not perfection – You are going to get attacked. (The bad guys are probably probing your network even as you read this.) The goal should be resilience – making sure that your business is able to defend itself well, understand the vulnerabilities and recover quickly should a security breach occur.
- Your focus should be on business impact – Though there are a million questions and concerns about your company’s exposure to security risks, there is really only one question to ask: “What is the business impact of an incident for the information or assets in question?” E.g. what’s worse – the network going down for an hour or the business brand credibility being bruised in the eye of the consumer? The security risks with the highest potential business impact should be first in line for risk assessment and IT security resources.
- Security is technical, but also people-centric – Conversations about security can get bewilderingly technical, even for IT professionals. But, becoming secure has a lot to do with people and the security policies that govern their interactions with your information, apps, and customers. Many security breaches result from poor oversight, such as sharing passwords and neglecting to apply security patches to old software.
Give me two good reasons to pay more/better attention to IT security.
- There is potential for serious trouble – This is not big news, but a major security incident can be a career-ending or stock-price destroying event. Being knowledgeable about what really matters in security has become an essential executive skill. If you can’t afford the cost of a breach – make sure you’re protected.
- You can likely get better protection for the same level of spending – ITSecurity is not cheap, but what’s more expensive is the cost of a breach – a single incident in 2014 cost one major retailer nearly $165,000,000. If you understand how security truly relates to the business and to the bottom line, you will be poised to make better security investments.
Where are the risks?
- Missing the complete IT security picture – Adversaries look for vulnerabilities across a wide spectrum of IT and business processes, and the worst breaches often occur in the little areas where few people thought to focus, like the memory cache on a credit-card terminal. This is where a risk assessment is key! If you don’t know where you’re vulnerabilities are how are you expected to plug the holes?
- Misallocation of IT security resources – If you don’t understand the business impact of a security breach, you may allocate resources in the wrong place. For example, if your network is vulnerable and exposes you to a high-impact incident, you need to invest in securing your network. This may sound obvious, but some organizations attempt to secure everything at the same high level and wind up under-securing the assets that potentially affect their businesses the most.
What is the takeaway idea for me?
IT Security is a broad and extremely complex subject that can be effectively managed through a disciplined focus on building resilience and securing assets with the highest business impact vulnerability. By balancing the people and technical aspects of you IT security strategy with a firm grasp of business impact, it is possible to improve security without necessarily raising the level of spending.
Amit Sharma can be reached at firstname.lastname@example.org for any questions about how to protect your business and mission-critical assets.