Information security encompasses several aspects of business such financial systems, protection of the physical environment as well as health and safety regulatory requirements.
IT security is a broad field that includes many professionals who operate in different capacities. We have general practitioners who have some knowledge of many things concerning cyber threats. This is the base level of IT security. Like the medical profession, these professionals may refer you to specialists. In IT security these specialists can be regarded as technical experts. We also have non-technical security professionals who understand the risks of business and how to integrate IT security into the corporate strategy. In addition to these roles, we have product experts who assist us with tunning information management systems or perform IT forensics.
The common and shared goal of all IT security professions is to identify and protect the assets of organizations.
In the realm of IT, I operate as a systems administrator and manager with focus on cyber security.
The foundation of IT security is confidentiality, availability and integrity.
Confidentiality is crucial as an organization’s intellectual property must remain protected from threats and thievery. With that said IT security professionals must balance confidentiality with availability. Meaning, data must be be protected and also be available to those that need to access said data.
Integrity ensure that data remains unaltered when being transmitted or stored unless required.
This foundation must support the business and or organization. To accomplish this, IT security professionals must understand the assets of the organization. We must engage in conversation and communication.
This engagement typically begins with the stakeholders and decision makers of the organizations. These folks are ussally deeply rooted in business. In many occasions the language of business and information technology are different. One of the many challenges of IT security professionals is translating the language of cyber security effectively to stakeholders.
Regarding cyber security, no organization is bullet proof. Meaning, vulnerabilities within an organization will always exist and can be exploited. This is a threat. These threats can have impacts of organizations.
We are all aware of some cyber-attacks. For example, Social Network X was recently very successfully attacked by cyber criminals. This attack brought the social network down making the platform unavailable.
AT&T and T-Mobile have suffered cyber-attacks. In fact, several U.S. telecommunications companies were targeted in a campaign when hackers exploited vulnerabilities in unpatched devices. The attackers gained access to metadata of calls and text messages, including date and time stamps, source and destination IP addresses, and phone numbers of over a million users, possibly yours or my own. I know I’m tired of scam calls.
A few years back, Baltimore city experienced a significant ransomware attack that disrupted numerous municipal services and led to substantial financial losses.
With that said, to help deal with cyber threats and mitigate risks, IT professionals can introduce counter measures or controls.
When implementing cyber security and controls, considerations must be given to potential cyber attacks and organization’s assets. Focusing on security without regarding business needs can be counterproductive. To properly support the organization, IT security professionals must consider the cost of implementing counter measures i.e. controls. In other words, the end result should justify the means.
Organization stakeholders and business professionals may be focused on creating additional business opportunities or enhancing the brand. It is important for IT security professionals to communicate with stakeholders and understand their objectives. A clear link must be established between business concerns and counter measures to ensure that IT security controls are implemented properly. Also, such communication ensures that the IT security implementation aligns with the organization’s goals.
For example, when implementing IT security for an organization, the stakeholders should be made aware that business partners are reassured when said organization has implemented and applied adequate security measures. Mitigating cyber security risks can translate into strengthening trust in the brand as well increased sales.
A far greater example of this type of communication is the IT security work I have performed with the Maryland State Police department. Successfully patching their systems and remediating vulnerabilities has had a powerful positive effect on improving cyber security and ensuring the safety of Humans. I am so grateful for the opportunity of implementing these types of projects and security measures.
Expanding this example while adhering to the subject, communication between IT security professionals and stakeholders is crucial.
Organization assets include several pieces and in my IT security work with public safety, Human life is the priority.
As I began my initial IT security analysis with Maryland state police, it was important to understand the functions and roles of various departments within the organization to be certain implementing security controls would not negatively impact functionality and thereby jeopardize lives.
While communication begins with stakeholders, IT security professionals must also engage end users to understand how implementing security controls may impact their functionality.
It is important to consider when creating IT security policies and implementing security measures that the controls support and align with organizational processes and procedures.
For example if end users downloading or sharing sensitive data is a concern, implementing network shares, issuing encrypted portable storage devices and / or enabling secure remote access may be options. However, if the capacity of network drives or storage devices is inadequate, these solutions will not be effective. It is crucial to understand the needs and requirements of end users to support the organization properly.
Also, I have been involved with some projects and organizations where the stakeholders were more concerned with acquiring cyber security compliance certification than IT security. This is one of the main reasons why communication between IT security professionals and stakeholders is so critical. Being solely focused on compliance and disregarding implementing actual IT security can open an organization to cyber-attacks.
Per example of cyber-attacks, I mentioned earlier, we are all connected. If you are interested in hearing and learning more about effective communication regarding IT security and business, like and share this post.
Thank you and as always, I challenge us all to think.
Sincerely,
William