Data security can build business

Far from being a brake on enterprise, IT security should be a business enabler, writes Tom Brewster

Data security chiefs are often perceived as the deniers of new technology, a barrier to business innovation and the naysayers who can never fix machines quickly enough.

“When you walk in the room, there’s a negative connotation,” a colleague told Quentyn Taylor, director of information security at Canon Europe. The forthright member of staff pithily conveyed the conception employees tend to have of those in charge of protecting the enterprise.

And this situation has been exacerbated over the years by an unwillingness to make information security a true business asset, rather than a nuisance.

Yet those who choose the more progressive route are the ones who will not only do a better job of protecting the business, but will also create additional value through security.

Here’s where some experience of cognitive dissonance comes in handy. For chief information officers (CIOs) to become a positive force in the business paradoxically means being two things at once: completely invisible and more visible than they ever have been.

In an ideal world, protection around staff software is as close to invisible as possible. Authentication is one example where security can innovate and stay out of the way simultaneously. Logins for all an employees’ tools could be initiated over their smartphones, which would contain codes to verify identities. Combined with a Bring Your Own Device strategy, this could help incorporate people’s mobile phones, tablets and laptops into the workplace, and make signing in simpler than it ever was.

Chief executives would be wise to involve their security and technology teams in almost every big decision

Yet the IT team should also make sure they are visible and known to every part of the organisation as a boon to the business. Often this will mean embracing risk, saying “yes” rather than “no” to fresh ideas, even when they appear to be riddled with dangers at first glance.

“Security used to be synonymous with compliance. It was about ticking boxes, rather than what was necessary or right for the business,” says Mark Brown, director of risk and information security at consultants EY. “Businesses have started to realise this is a risk-based world in which we live. It’s now about questioning why rules are there in the first place.”

It’s in those instances, when IT security specialists can approve ideas and even contribute to them while their bosses expect the opposite, where CIOs will surprise and thrive. The more ambitious the CIO, the greater the benefit for everyone involved. “Go after the big fish. Go after the big issue,” Mr Taylor says. “Risk is what makes the world go round.”

Chief executives would be wise to involve their security and technology teams in almost every big decision. This should spur adult conversations around what tools could be used to facilitate and protect new projects, as well as the need for cross-disciplinary educational programmes.

With C-level executives and IT teams working closer together, along with other organisational departments, the response to attacks, even the most advanced strikes, will be more effective. With everyone involved in the process of securing the business, hackers will not find it as straightforward as they have done to uncover weaknesses.

It would be easy to regress in today’s turbulent environment, though. Over the last year, the world has witnessed the aftermath of the most severe case of insider attack ever seen, in the form of Edward Snowden. As a contractor at Booz Allen Hamilton, he managed to acquire and leak classified US National Security Agency documents, threatening the reputation of intelligence agencies the world over.

With some basic social engineering techniques, he managed to bypass security layers at the biggest spy agency on the planet. His actions not only proved even the most risk-averse of organisations were vulnerable, but destabilised trust in the agency’s tech partners, who happened to be some of the biggest cloud computing providers in the world.

Meanwhile, the rise of the “Internet of Things”, which will see connected devices, from smart TVs to Google Glass, proliferate and appear in workplaces, is expanding organisations’ attack surfaces.

At the same time, whether sponsored by governments or organised criminal gangs, hackers’ attempts continue to get more sophisticated and widespread. When retailing giants, such as Target, are being compromised, it’s clear any company, regardless of industry or size, can be hacked.

Achieving the cultural change to make security a business enabler is far from simple. The company might not even know when it has reached that position. “Security is a journey not a destination. That is the point. You never know when you’ve made it,” Mr Taylor adds.

But the era of the maligned, untrusted data protection chief is reaching its denouement. The day of the dynamic, collaborative and popular security leader is dawning.