LOB, Security Teams Must Be On Same Page For Cyber Success
Security Teams As Enablers, Not Roadblocks
There are a number of factors baked into an organization’s security posture: solutions, staff, business model, visibility, etc. Despite a pervasive talent crisis and historically “siloed” IT units, cyber security has emerged as a top concern/driver in an organization.
Traditionally, there has been a gulf between lines of business (LOB) and the security team, or operations center (SOC). In theory, this could inhibit business growth/expansion, complicate corporate communication and make the network vulnerable to threat actors. In fact, these siloed IT units were once often considered a nuisance or afterthought – a barricade to swift business activity. Hence, the furtive creation of “shadow IT” (in some organizations), meaning LOB taking matters into their own hands and shrouding their activity from the security team.
Yet, movements – and breaches – in recent years have widened the security team and exposed them to more critical business functions. Essentially, chief information security officers (CISO) and other executives (Information Security, Risk Management, Data Privacy) have earned a seat at the table; or, they’re in the process of maneuvering up the corporate ladder.
To ensure sound cyber security at the enterprise level, it’s critical that LOB and security leaders both communicate regularly and develop careful protocols and contingencies. For example, with the rise of crypto-mining and ransomware, CISOs and the like must stay apprised of threat vectors and vulnerabilities, and communicate that to the C-Suite, perhaps the board, and surely the employee base. They must arrange regular knowledge campaigns, and instill best practices.
Even after all of this, ensuring various LOB grasp security protocols remains a top concern for CISOs. While change here is more gradual (compared to, say, technological advances), it is a prerequisite for any IT security professional. So, has this relationship actually shifted in recent years? Is the security team still off in a silo?
To get a better idea of this divide – or a perceived one – we spoke with various security professionals, including Michael Wons, Chief Technology Officer (CTO), SAI Global.
Wons told the Cyber Security Hub that “there is a clear understanding of some levels of security and risk, however, it is not truly understood (across the business).”
The CTO said that LOB and overall corporate executives are busy and the issue of technology security is “essentially a nuisance that must be dealt with.”
Similarly, Michael Scheidell, Chief Security Officer (CSO), Security Privateers, LLC., told the Cyber Security Hub that, “Business thinks ‘IT’ (IT Security) will ‘just handle it.’ (The) same (goes for) GDPR and Business Continuity: ‘Just handle it.’”
Wons said, “The real question is how we can help the LOB executives understand that a secured and confident computing environment can be achieved with a level of constant discipline and awareness by their teams.”
Wons likened the challenge here to the “see something, say something” campaign on public transportation and in public places. He added that actually saying something is often “prohibited by time constraints” and a lack of comfort in speaking out.
The CTO said an “easy button” for reporting potential issues and security risks “is what we need to get to.” But how does an enterprise progress from a lower, or ill-informed, posture to the “easy button”?
The answer could be increased awareness, education and involving multiple teams in problem-solving (e.g., junk mail, phishing, social engineering, etc.).
In shoring up communication between security and LOB, Wons reemphasized the importance of awareness.
It’s a new age of IT. Wons expanded on this.
“No one is going to fall for their rich uncle who passed away in a foreign country and left them millions of dollars and all they need to do is provide their bank account and routing number,” he said. “We are past that. Phishing, scamming and unwarranted intruders are everywhere (though). Cyber security has become essentially a battle against organized crime…and the threat, unfortunately, is increasing, but can be solved.”
Wons suggested security teams ensure the right questions are being asked – and continually. He said CISOs and the like should “correlate crime experiences to cyber security experiences; it is all up (to the) individual to ‘see something and say something.’”
Employees must also bear some weight of the overall cyber structure. Wons said that “individuals need to own responsibility…and that starts with the LOB executives, citizens and the educational system.”
See Related: User Identity, Access Becoming Cyber Focal
Further, Scheidell added that ISO 27001, GDPR and HIPAA “all require ‘Top Management’ involvement, and without (that), we are just ‘guessing.’”
The CSO said that thanks to the European Union’s (EU) sweeping data privacy regulation (GDPR), security is becoming even more of a top priority.
A Security Intelligence post framed this larger concept nicely, with the Three Lines of Defense model. The lines include Management Control, Risk Management and Internal Audit (or “independent assurance”). While the latter two involve senior-level executives or the board (including detecting key risk indicators (KRIs), viewing control frameworks, and gauging adequacy of security controls), the former incorporates various units.
The post reads, “The first line encompasses the information security department as well as various business units that own their cyber risks. These entities need to understand how their assets are vulnerable and actively manage their cyber risks within organizationally acceptable tolerances.”
Matrix Medical Network’s Head of Information Security and Data Protection Officer (DPO), Rebecca Wynn, likened this larger, and mutual, transition to a “paradigm shift” from security teams being seen as the “Gotta Squad” to the “Win-Win Initiators.”
Wynn added that security must also listen to the business and understand each department’s strategic imperatives, as well as the risk tolerance of executives. At that point, security can advise and wrap data with protection. She suggested that enterprise security teams need to “Protect to Enable,” and be more business-oriented.
“When you position yourself as part of the whole, then initiatives are more easily accepted,” she said. “Just as you assist other business partners, they in turn will be an extension of the Security, Privacy, Compliance and Risk Management teams.”
Suffice to say most security teams embrace the changing tides – meaning more awareness behind initiatives and, overall, much higher stakes. Cyber security has not only earned its way into the “vital business components” discussion, it is undeniably necessary for growth (not a hindrance).
As the security professionals mentioned, having regular meetings with LOB and educating them on their roles and their goal to “support while protecting” (versus prohibiting) is key to productivity, visibility and efficiency.
At the enterprise level, security simply cannot be ignored.
Be Sure To Check Out: Financial Sector Security Remains At Forefront, Will Steer Cyber Policy