Rook Uncut: Identifying the “Achilles Heel” of your Security Program

With new data breaches or information security concerns making headlines each day, we are often approached by peers, friends, family, and the media to provide insight. Rook Uncut gives you our quick and raw answers to security questions. If you missed the last edition of Rook Uncut, check it out here.

In this post, I answer common questions I have been asked regarding collaboration between IT and other departments.

Q: Why do you think there is a lack of collaboration between IT/Security and other departments?
A: The existence of collaboration problems between IT and security personnel really depends on the environment and the tone from the top. Having been in different organizations where security was positioned at varying layers in the org chart (CISO with a seat at the table versus three steps down from the nearest executive), it makes a huge difference. If security risk-based decisions are not being made at the top levels, it is quite hard to drive a security agenda from the depths of IT. Many IT administrators are cognizant of security threats and don’t want their systems to be compromised, but their #1 priority is keeping the lights on. There must be more collaboration driven from the top of the organization to ensure systems are not only operationally sound, but secure as well.

Q: How does better communication add another protective layer to the security plan?
A: Communication is the “Achilles Heel” for many organizations. It is imperative that open dialogue exists between security and all groups within an organization. Security must champion this effort regardless the status quo within the organization. Security awareness is an important layer of security — employees must be made aware of the potential threats and educated on how to mitigate security risk within the corporate and their personal environments. Communication must be timely, relevant and understandable; otherwise, it becomes white noise.

Q: What tips do you have that could improve security-related communication across departments?
A: To execute any improvement, including how we communicate, it’s important to have a plan. Set the expectations in advance. What will be communicated? Who will receive the communication? When will the communication be sent? And how it will be communicated? Follow a standard format/template for sharing information so your audience becomes accustomed to it and knows what to expect. Follow through every time — one miss can throw off the cadence and interested parties may begin to pay less attention over time due to inconsistencies.

Q: How do you get the C-level folks on board? Too often they seem like a major stumbling block.
A: Getting the C-level team on board can be a struggle if there is not a direct line through a CISO. Security leaders that are buried within the organization must continue to fight for visibility and a seat with the executives. Focus on identifying the potential security risks to a core business goal. Define the strategy for mitigating this risk and formally present it up the chain and keep going until you get that seat at the table. If a goal is to increase revenue by growing the customer base — what concerns are potential customers going to have about security? A surge in the past few years has occurred with current and potential customers taking note of how you are handling their data. Whether it be PII or Intellectual Property you have to protect, rest assured sooner or later your company will be asked to show evidence of a security program and that it’s enforced from the top-down.