In the digital enterprise, everyone is a security newb

Most breaches occur through applications not governed by security teams

Man squeezed between file cabinets
Credit: Thinkstock

Suddenly I've arrived at that age where many stories I share begin with, "When I was a kid." I remember my parents had a few of those old filing cabinets where they stored all of their important paperwork. My siblings and I were fascinated by this mini monster that housed banking information, tax forms, and household bills.

Even more exciting for us, was when one of my parents left the keys in the lock, and we were able to open the drawers and examine all that rest protected in this large metal box.

My parents weren't alone. Virtually every office building was loaded with these storage units, and many of these structures contained critical information that needed to be kept under lock and key. Someone was responsible for keeping those keys, but certainly it wasn't the security guard at the front door of the building, right?

In the digital enterprise, security works much like the days of old except those filing cabinets have been converted to digital files stored on a network. Why then, does everyone in the enterprise presume that all of those keys have been turned over to the security team?

Ryan Stolte, CTO at Bay Dynamics said, "In large organizations, there is the overall security team who is in charge of managing risk across the board. However, there are also different lines-of-business such as the HR department, marketing, legal, and others. Each of those departments has its own manager, application owners and IT experts; however, none of them are part of the security team."

In many respects, the way security worked "back in the day" was a lot easier for folks. If I worked in human resources, and a stranger came in and started rummaging through the filing cabinet in my desk, I would know right away that something was amiss. Most likely, I'd call security and have him escorted out.

In the digital enterprise, protecting critical data has changed. Communication is the missing ingredient because security teams don't have the information they need for or from the other business leaders who are focused on different objectives, like sales goals or the customer experience.

"Those department heads are so concerned about keeping their own systems up so that they can continue bringing in revenue, that they overlook security. For example, the managers of a POS system do not want to have their IT guy take the system offline for an hour to fix a patch during Black Friday," Stolte said.

In order to best defend against the threats of malicious actors, leaders across all departments need to become more security savvy. "Line of business and application owners, those who manage assets that contain valuable information, must first recognize that the information they manage is of high value and they must communicate with the security team," Stolte said.

Whether you are a health care provider responsible for making sure a portal is available to patients or you are a business executive who is responsible for making sure your ecommerce is available, you need to become more security savvy. Stolte said, "Communicate with security by telling them, 'Hey, I manage valuable information. You need to tell me where my vulnerabilities are to insider threats and malware so that I can fix them.'"

In some cases, the security team may have already informed them of their risk and they chose to ignore it because they don't want to do anything that may impact revenue, but in other cases the security team doesn't communicate with them in the first place so they are completely unaware that their POS system, for example, has a vulnerability.

Stolte said, "If I’m higher up and have the responsibility of making sure ecommerce is available, I need to understand the real risk of my being taken down by DDoS."

Embracing the role of a security newb regardless of your role in today's digital enterprise, will help to reduce the risk of an attack on the business. If everyone understands that security is a shared responsibility, they will better understand how they can be attacked as a person through phishing

Stolte's analogy of the filing cabinet is a logical comparison that helps to make sense of the disconnect among key players who do not sit on the security team that need to be active participants in managing cyber risk.

"Line of business and application owners are the ones who have the keys to the file cabinet with the sensitive information. They are the ones who can flag if someone is going into the cabinet when they shouldn't be. The security team is merely the guy at the front desk of the building," Stolte said.

Once a person is inside, the security team can’t tell if the person is accessing things they shouldn’t be accessing without the context from the other key players.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.