Making the Business Case for IT Security Investments

Ultimately, when a business and its IT department are disconnected on the security front, the organization is at a high risk of a data breach.

Destiny Bertucci is Head Geek™ at SolarWinds.

In 2017, there were a total of 5,207 breaches—up 20 percent from 2015—and 7.8 billion information records exposed worldwide, up 24 percent from 2016. A strong security posture should be a top priority for organizations; and while IT professionals play a crucial role in helping to drive both dialogue and process implementation, there is a burgeoning need for security to be approached from a business perspective, not just at the IT level. 

Why? In today’s threat landscape, it’s important for everyone in the organization to understand security rules and requirements. Employees can inadvertently take actions that go against the business’s security policy or harm the network, often without knowing what they’re doing.

Where Are We Now? 

The current security preparedness landscape at most organizations varies, but there’s often a lack of direction. All IT professionals, regardless of the size of the company they work for, must be well-versed in how to present the need for security to their business leaders in a way that will be understood and appreciated.

Dollar-value, specifically, is one way to communicate the importance of a security posture to senior leadership. Many organizations don’t fully comprehend the cost of a breach. Annualized loss expectancy (the product of annual rate of occurrence and single loss expectancy) should be a consideration at the heart of all businesses as it helps quantify the risk of a lackadaisical security strategy. The formula can be used to portray the cost of security for something like a specific product, such as an employee laptop, and highlight why it’s important to invest in security and user education rather than covering the loss or theft of that device.

Beyond the management level, it's also crucial to share security best practices and guidelines with employees in a way they can understand. For example, IT professionals should avoid using highly technical terms that don’t resonate with the average end-user. Additionally, consider showing employees examples of what to look out for, like a phishing or ransomware email. Security training should be given as part of new hire orientation and onboarding, and it should be reinforced at multiple points throughout the year for all employees. Employees must understand how security is a goal of the business, or they’ll always be a weak link.

At the same time, every person in the organization should be a security advocate and be fully briefed on an action plan in the event of a hack. Employees must understand what steps they should take if they think they’ve been breached or have a virus on their mobile phone or laptop. IT professionals should praise employees who come to them with potential issues and have a loaner laptop or device available for them to use so they can continue handling their responsibilities even when their device has been compromised.

Ultimately, when a business and its IT department are disconnected on the security front, the organization is at a high risk of a data breach. Employees must know how to properly use their mobile devices, laptops, and other devices to help avoid breaches and align with the business’s security policies.

Best Practices for Implementing a Business-level Security Strategy

With this in mind, here are a few best practices to reference as you to begin implementing elements of a business-leave security strategy:

Data loss prevention: Start by identifying what’s at stake should your organization be opened up to a hack or a breach. Begin with risk intelligence strategies to scan and assess what potential threats and vulnerabilities exist, both inside and outside your organization. This should be immediately followed by data loss prevention strategies like deleting or encrypting certain files or data.

User education: End-user education is a sorely underutilized method of further securing an organization’s data. The numbers consistently show that most attacks originate inside the organization, often stemming from things like an employee falling victim to a phishing scheme that introduces malware on the network, DDoS attacks, or accidental end-user errors that stem from an inadequate understanding of potential security threats. The organization’s IT department should be proactive and transparent about flagging security vulnerabilities that could be exacerbated by end-user activities, such as using company email on a smartphone OS that requires a security patch or accessing a social media profile with a password that may have been part of a larger breach.

Constant and comprehensive monitoring: If an organization is not monitoring, it will never see an anomaly. IT professionals can come in after a known breach or an attack and then set up monitoring, but at this point it’s possible to miss what the hackers left behind. All businesses should proactively monitor to develop a baseline, so in the future it’s simple to see what’s out of the norm. IT professionals should also look to integrate compliance software, such as security information and event management (SIEM), into an environment to ensure that vulnerabilities are being taken care of by leveraging an easy interface within which one can handle things like patches and log event management.

Fluid security policies: Businesses must be able to easily revise security policies. Remember, the security landscape is constantly changing. This should not be a “set it and forget it” plan. Rather, it should be reassessed every six to nine months to ensure everything is up to date and as effective as possible. In many cases, I’ve evaluated a company’s security process and found that policies were set up as much as two years prior without any thought to updating it.  Separately, there should be two different security policies: one for employee users, and one that can serve as a framework for the company’s network team, systems team, and security team.

Breach policy: It is crucial for each and every business to have a breach policy outlining what they will do after a breach has occurred and how they will address the resulting problem. The policy should include prevention options, the company’s vulnerability, the testing they’ve done, and their incident response plan, including a communications strategy. Finally, all companies should have a post-response plan evaluation to gain insights into what’s been learned and any new processes and technology that are in place after the incident.

Security must be a priority for the entire business—not just IT—and user education is the most important first step. If employees don’t understand how to keep themselves, their organization, and the company data safe, they can unintentionally put their business at risk.

Opinions expressed in the article above do not necessarily reflect the opinions of Data Center Knowledge and Informa.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating.

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish