Enterprise security skills: the communication factor

How important are good lines of communication as far as the enterprise IT security strategy is concerned? Davey Winder investigates...

Skills meltdown

John Colley is the managing director for Europe, the Middle East and Africa (EMEA) at (ISC)2, the largest body of information security professionals worldwide with over 90,000 members across 135 countries. If anyone should know a thing or two about communication in the security business, he should.

Rather surprisingly, Colley seemed to be in broad agreement with the suggestion that IT professionals are failing to communicate security risks to their organisations, telling IT Pro this wasn't surprising as "IT professionals don't always understand the security risks themselves."

Colley explained that it must be the role and responsibility of business security professionals to communicate to both the IT professionals and the business as "they are the experts at the coal face of monitoring the threat landscape to secure the business."

Advertisement - Article continues below

When it comes to what Colley thinks is really causing this communication failure, however, the surprise-factor is less evident. "Use of technical terminology is an endemic problem and perhaps one of the key reasons for communication failure between IT/security teams and the wider business" he says.

"IT and security professionals must speak the same business language. For instance, telling the business that it is likely to be hacked will not have the same effect as saying that if certain security measures are not adopted, the enterprise will likely lose its intellectual property."

One of the problems is that all too often IT has no way of understanding and assessing the value and sensitivity (and therefore the risk) of the company's data assets. Those people who do understand this value are the data owners in line-of-business roles.

Empowering the business leaders with formal data ownership and providing them with the tools to set and manage access to their data can achieve two big things, insists David Gibson, one of the vice presidents at Varonis. Big thing number one is increasing the company's protection of critical data assets and big thing number two is enabling IT to get out of the permission business.

"Let's say a bank teller noticed a stack of cash sitting unguarded in the middle of the bank," Gibson explains "in order to calculate the risk associated with these bills, the teller would need to know the asset's value."

Are they $100 dollar bills or $1 bills, and how much is the pile worth? Secondly, they need to know to whom the assets belong in order to communicate with someone that is responsible for the assets. In this case, any bank official would ask, who is responsible for this?

It's just the same with data. When IT finds piles of data that are exposed to too many people or otherwise not protected adequately, in order to communicate risk, they need to understand the value of the data, and communicate the risk associated with that data to the right people.

"In other words, they need to find data owners," says Gibson. What's more, since data isn't usually as clearly marked as cash, the owners are needed to help quantify the data's value in the first place. "With so much information housed in today's data driven organisations," says Gibson "IT and the business have often lost track of who is responsible for which data assets."

Featured Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

4 Nov 2019
Domain Name System (DNS)

Microsoft embraces DNS over HTTPS to secure the web

19 Nov 2019
Business strategy

The pros and cons of net neutrality

4 Nov 2019
social media

Can Wikipedia founder's social network really challenge Facebook?

19 Nov 2019