Involving as many people as possible in the security process strengthens practices, thereby closing the gap between business users and security teams, argues Alex Armson
IT systems underpin almost every aspect of how today’s organisation functions. But despite this reliance, securing that technology so that only authorised users have access to it (without that access being so restrictive it hampers operations) often exposes the divide between the security team and the business.
There are a variety of understandable reasons for the distance between these entities. Business users, focused on the milestones and the end result of what they need to achieve may feel that security requirements add additional (and unnecessary) effort and therefore inefficiency; alternatively the benefits of integrating security throughout the project may not be immediately visible. Or it may be a case of a disconnect, with the business not understanding the technical aspects of a venture and therefore not making sufficient provision for security at the beginning.
A unified approach to security throughout the organisation is necessary to develop a mature risk mitigation strategy.
But in an age when IT security breaches increasingly make the headlines and GDPR is now part of everyday language, bridging the gap between these potentially disparate parts of the organisation should be a priority.
With that in mind, the following concepts should all be considered as they contribute to closing the gap between business goals and security requirements:
Enterprise architecture and its role in connecting the different business functions
Evaluating and understanding how separate business functions relate to each other is essential if business and security are to work in tandem rather than opposition. The more mature the enterprise architecture, which defines how an organisation is structured and operates, the more this interdependence is understood and can be designed in to IT systems so that the technology environment is set up to carry out business processes as efficiently as possible.
However, business processes evolve constantly in order that informed decisions are made and profitability maintained, and these shifts and the resulting change in job functions can impact security design. Roles within software applications need to be created in a way that reflects this; minimising risks around segregation of duties in a way that only requires role remediation rather than a complete redesign as the business develops, for example. (Building and customising roles based only on initial needs can introduce dependencies between the role design and specific job function, without taking into account future organisational re-structuring.)
Security-by-design and the importance of keeping it simple
One of the key principles of security-by-design is to keep things simple; maintaining an end-user friendly interface while ensuring that this does not expose security threat exploits for example. However, the technical nature of security means it is usually the remit of the IT team, with no constructive input provided from the business side, despite well-designed solutions requiring business and IT collaboration to make sure that all objectives are met.
Taking the design of access control solutions, a core consideration is the access that users need to achieve their daily tasks. Business end-user contribution is essential here, while compliance teams also need to be involved so that the implications and risks can be assessed, along with how these will be monitored and controlled. Without this input, there is a danger that the solution becomes overly skewed towards security, with the result that it is too restrictive and therefore not fit for purpose.
Legislation such as GDPR emphasises the need for security to be considered from day one; in other words, security-by-design principles are becoming evermore critical.
Frameworks that drive security-by-design mindsets
With business and IT teams having separate – and often conflicting – priorities, creating an overall organisational culture that considers risk management on an equal footing with overhead cost reduction or resource planning can be challenging.
But a unified approach to security throughout the organisation is necessary to develop a mature risk mitigation strategy. This is where adopting a simple and consistent framework for everyone to follow can be useful, with the National Institute of Standards and Technology (NIST) cybersecurity framework being a good example.
Designed with the business user in mind it uses straightforward language to establish a common understanding of what is meant by cybersecurity. This helps individuals throughout the enterprise to develop a security-conscious perspective that leads to a positive change in culture and everyday norms.
For example, in wanting to create a no-risk environment, senior management might stipulate that system access is minimised. However, overly-restrictive access can impact operations by making it impossible for end-users to perform many of their daily tasks, resulting in the need for emergency access to carry out relatively low-risk activities.
In other words, while a zero-risk setting is perceived as desirable in principle, the reality is that it often creates heavy workloads for the IT team, as well as unnecessary headaches come auditing season. In contrast, a security framework that is adopted by business users can create a more cohesive environment and lead to decision-making that centres round long-term security strategies.
A security-focused culture creates the opportunity for business teams to contribute positively to security tasks and share responsibility with IT counterparts.
This is aided by leadership that is well-versed in both sides of the argument; they can more effectively communicate cyber risk in business terms, and take a business perspective on security requirements - messages that trickle down the organisation. Involving as many people as possible in the overall process strengthens security practices, thereby closing the gap between business users and security teams.
Alex Armson, analyst at risk management company, Turnkey Consulting