Enterprise security skills: the communication factor

How important are good lines of communication as far as the enterprise IT security strategy is concerned? Davey Winder investigates...

Skills meltdown

John Colley is the managing director for Europe, the Middle East and Africa (EMEA) at (ISC)2, the largest body of information security professionals worldwide with over 90,000 members across 135 countries. If anyone should know a thing or two about communication in the security business, he should.

Rather surprisingly, Colley seemed to be in broad agreement with the suggestion that IT professionals are failing to communicate security risks to their organisations, telling IT Pro this wasn't surprising as "IT professionals don't always understand the security risks themselves."

Colley explained that it must be the role and responsibility of business security professionals to communicate to both the IT professionals and the business as "they are the experts at the coal face of monitoring the threat landscape to secure the business."

When it comes to what Colley thinks is really causing this communication failure, however, the surprise-factor is less evident. "Use of technical terminology is an endemic problem and perhaps one of the key reasons for communication failure between IT/security teams and the wider business" he says.

"IT and security professionals must speak the same business language. For instance, telling the business that it is likely to be hacked will not have the same effect as saying that if certain security measures are not adopted, the enterprise will likely lose its intellectual property."

One of the problems is that all too often IT has no way of understanding and assessing the value and sensitivity (and therefore the risk) of the company's data assets. Those people who do understand this value are the data owners in line-of-business roles.

Empowering the business leaders with formal data ownership and providing them with the tools to set and manage access to their data can achieve two big things, insists David Gibson, one of the vice presidents at Varonis. Big thing number one is increasing the company's protection of critical data assets and big thing number two is enabling IT to get out of the permission business.

"Let's say a bank teller noticed a stack of cash sitting unguarded in the middle of the bank," Gibson explains "in order to calculate the risk associated with these bills, the teller would need to know the asset's value."

Are they $100 dollar bills or $1 bills, and how much is the pile worth? Secondly, they need to know to whom the assets belong in order to communicate with someone that is responsible for the assets. In this case, any bank official would ask, who is responsible for this?

It's just the same with data. When IT finds piles of data that are exposed to too many people or otherwise not protected adequately, in order to communicate risk, they need to understand the value of the data, and communicate the risk associated with that data to the right people.

"In other words, they need to find data owners," says Gibson. What's more, since data isn't usually as clearly marked as cash, the owners are needed to help quantify the data's value in the first place. "With so much information housed in today's data driven organisations," says Gibson "IT and the business have often lost track of who is responsible for which data assets."

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Most Popular

The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020