Transforming the security culture
With breaches at Equifax, Experian, and Deloitte fresh in today’s headlines, Security and IT professionals are deeply engaged with the most important kind of self-examination, “could this happen to me?” Before you assuage yourself with rationalizations of how this couldn’t possibly happen to you, let me assure you, it could and it might. The most common reaction to another major publicly reported breach from IT and Security teams is trying to control what they can - clamp down on shadow IT, stick to policy, and quite possibly tell their line of business counterparts “no” to requests from the business. That is probably the worst reaction possible.
When Shadow IT first became “a thing,” the tendency of many CIOs and CISOs was to try and stamp it out. Continuing that effort today flies in the face of business demands for digital transformation. Rather than stomping out innovation and creativity, CIOs and CISOs need to harness that energy and learn how to funnel it safely or look for a new calling.
This wasn’t what IT leaders trained for. The stability of the enterprise computing infrastructure relied on a strict “command and control” culture, where user and business demands for flexibility, innovation, and openness were subordinated to rigid standards aimed at protecting the integrity of systems and access. But the ease of provisioning cloud services makes it relatively simple for business groups to outmaneuver IT, with the high likelihood they can generate results that make it easy to justify the decision after the fact.
The modern CIO needs to put agility and serving the needs of the business ahead of their inherent desire to control every aspect of their digital business. Any IT leaders today who regularly say ‘No’ to business requests will, at best, become less listened to and less relevant. At worst, they will be steered to, or abruptly shoved out the exit door. The primary responsibility of IT is to understand what the business needs to do to succeed and find ways to make it happen.
This shifting of priorities in no way means giving up on the objective of securing the organization. It does require that IT leaders understand that some opportunities outweigh the risks of implementing new systems and processes. The challenge now is to show how those opportunities can be accomplished and to point out the potential adverse impacts of doing so. In this way, IT and the business can come to a shared understanding of the risks of doing things differently, so that decision-makers can make the call on whether to do so or not.
Making the transition
Some in IT will jump at this opportunity to partner more fully with the business side. Others may never make the transition.
Any CIO or CISO who cannot rise to the challenge is likely to see the CEO and board of directors turn to others for strategic IT insight and planning. That may mean that a Chief Strategy Officer, or a Chief Digital Officer, or some other Chief (TBD) Officer, rises to the top, while traditional IT chiefs find themselves relegated to supporting roles.
The competitive environment and the impetus driving digital transformation are not conducive to placing security barriers in the path of business strategy. The job description of tomorrow’s CIO and CISO will be less about certifications, and more intensely focused on business enablement. Topping the list of job requirements will be the ability to confer with business counterparts to find ways to foster business growth and innovation while protecting infrastructure components to the appropriate level of risk acceptance.
Nobody can take risk down to zero. And any IT leaders willing to stand up in a boardroom and say they can, are leading business leadership astray. Instead, they should be bold in confessing that IT has visibility into 90% or 95% or 99% of everything that is going on in the network, but that missing percentage has the potential to inflict great business harm.
False sense of security
In today’s cyber world there is no metric you can track that is good enough to let you sleep soundly. Setting a goal of 100% protection only creates a false sense of security. The reality is that security doesn’t have goals—business has goals; security metrics and actions fold into those goals. What security requires are rules based on business goals. But if you set security goals that don’t resonate and align with the business goals, users and customers will simply find ways around them.
This is a tough message to deliver to CEOs and the board, especially given that they have made security investments over the years based on these false goals. If, for some reason, IT and security chiefs are not being invited into the board to advise and consent, it’s a sure sign they’re already out of step with the business. And, a clear-cut warning sign that it’s time to change the cyber security culture.
One easy step any organization can take today is to eliminate the concept of a highly-privileged user. Too many people hold “super user” status day-in, day-out, with essentially unfettered access to databases, systems, and networks where they can inadvertently or maliciously create harm. That type of privilege should only be granted when needed, when it is escalated to a sufficient level, and when it is monitored to prevent adverse actions. When such access is no longer needed, it should be immediately terminated, until the next time.
The challenge is to provide secure enablement, not create a false expectation of fool-proof prevention. This requires a change in culture. That can only come with a fundamental rethinking of the ways we have managed IT and security.
