Enterprise security skills: the communication factor

How important are good lines of communication as far as the enterprise IT security strategy is concerned? Davey Winder investigates...

Skills meltdown

John Colley is the managing director for Europe, the Middle East and Africa (EMEA) at (ISC)2, the largest body of information security professionals worldwide with over 90,000 members across 135 countries. If anyone should know a thing or two about communication in the security business, he should.

Rather surprisingly, Colley seemed to be in broad agreement with the suggestion that IT professionals are failing to communicate security risks to their organisations, telling IT Pro this wasn't surprising as "IT professionals don't always understand the security risks themselves."

Colley explained that it must be the role and responsibility of business security professionals to communicate to both the IT professionals and the business as "they are the experts at the coal face of monitoring the threat landscape to secure the business."

When it comes to what Colley thinks is really causing this communication failure, however, the surprise-factor is less evident. "Use of technical terminology is an endemic problem and perhaps one of the key reasons for communication failure between IT/security teams and the wider business" he says.

"IT and security professionals must speak the same business language. For instance, telling the business that it is likely to be hacked will not have the same effect as saying that if certain security measures are not adopted, the enterprise will likely lose its intellectual property."

One of the problems is that all too often IT has no way of understanding and assessing the value and sensitivity (and therefore the risk) of the company's data assets. Those people who do understand this value are the data owners in line-of-business roles.

Empowering the business leaders with formal data ownership and providing them with the tools to set and manage access to their data can achieve two big things, insists David Gibson, one of the vice presidents at Varonis. Big thing number one is increasing the company's protection of critical data assets and big thing number two is enabling IT to get out of the permission business.

"Let's say a bank teller noticed a stack of cash sitting unguarded in the middle of the bank," Gibson explains "in order to calculate the risk associated with these bills, the teller would need to know the asset's value."

Are they $100 dollar bills or $1 bills, and how much is the pile worth? Secondly, they need to know to whom the assets belong in order to communicate with someone that is responsible for the assets. In this case, any bank official would ask, who is responsible for this?

It's just the same with data. When IT finds piles of data that are exposed to too many people or otherwise not protected adequately, in order to communicate risk, they need to understand the value of the data, and communicate the risk associated with that data to the right people.

"In other words, they need to find data owners," says Gibson. What's more, since data isn't usually as clearly marked as cash, the owners are needed to help quantify the data's value in the first place. "With so much information housed in today's data driven organisations," says Gibson "IT and the business have often lost track of who is responsible for which data assets."

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

The IT Pro Podcast: Why techies shouldn’t become managers
Careers & training

The IT Pro Podcast: Why techies shouldn’t become managers

10 Sep 2021
Podcast transcript: Why techies shouldn’t become managers
Careers & training

Podcast transcript: Why techies shouldn’t become managers

10 Sep 2021
The IT Pro Podcast: How umbrella companies exploit IT contractors
IT regulation

The IT Pro Podcast: How umbrella companies exploit IT contractors

3 Sep 2021
Podcast transcript: How umbrella companies exploit IT contractors
IT regulation

Podcast transcript: How umbrella companies exploit IT contractors

3 Sep 2021

Most Popular

HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021