Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/5/2016
10:00 AM
Greg Kushto
Greg Kushto
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Transitioning From The Server Room To The Boardroom

How can IT professionals balance business goals and information security?

For years, businesses and their IT operations experienced a strained symbiosis — each needing the other to thrive, but frequently at odds in matters of prioritization, budgeting, and resources. 

Fast-forward to the present day, however, and we see a cultural shift. Between numerous data breaches and a growing understanding of how technology affects the bottom line, today's executives embrace IT as a driving force. And yet even with IT departments ascending from the server room to the boardroom, a communication gap often remains. How can IT professionals bridge that divide and create a balance between business goals and information security?

More Than a Seat at the Table
You don't ask a lawyer to diagnose appendicitis or an engineer for legal advice. Making informed, meaningful IT decisions requires no less expertise — especially those regarding information security.

No one is better-versed in an organization's data than those of us tasked with protecting and maintaining it. Recognizing this, some organizations have tried to overcome the IT-to-business knowledge gap by hiring chief information officers or chief information security officers. 

While this helps raise awareness, it hasn't resulted in a notable reduction of security incidents. Why? Because organizations too often hire IT leaders without integrating them into the decision-making process.

If organizations hope to create effective cybersecurity strategies, their IT experts need more than just a place at the table. They need a voice, one that's involved from the onset in discussions and decisions they'll be expected to support. It's not enough, however, to simply demand the microphone. Being heard in the business arena requires proving you're worth listening to.

Showing Our Worth
IT has long been the keeper of the information security castle. Building bridges, however, requires opening the gates and letting the rest of the business kingdom in. 

If we as IT professionals want a meaningful role in our organizations, we have to embrace our business counterparts. Moreover, we have to demonstrate how critical we are — not only by highlighting the risks of security failures, but also the potential gains of a solid security strategy.

By demonstrating how our roles and capabilities affect the bottom line, we have a better shot at influencing business decision makers and developing a security strategy that not only secures the network but also plays a direct role in our organizations' success.

Ultimately, if we can't use IT knowledge to advance our organization or its mission, having a seat at the table accomplishes nothing.

Accept Risk to Mitigate It
Information risk can't be avoided. As long as there are humans with computers and bad intentions, cybercrime will exist. Unless you turn off your servers, your organization always faces some level of risk. But shut-down servers achieve nothing for our organizations. 

Accepting risk, however, grates on the nerves of IT professionals accustomed to a comparatively black-and-white environment with defined parameters, clear expectations, and rigid processes. In contrast, businesspeople are used to negotiations, chance, and some reasonable level of risk. As a result, they learn to accept risk and control for it.

If executives lean on IT expertise, this is where we as IT pros can learn from our business-side colleagues and their approach to risk management. It's not about disregarding caution. Instead, it means accepting threats as inevitable and taking the steps to avoid or mitigate the potential damage. We must discuss risk and how it changes based on outcomes, resources, budgets, and other factors.

From Repairmen to Expert Consultants
There once was no way around it: IT was a laborious process. Configuring a server for different roles and access levels was a long, tedious endeavor that involved hours spent manually changing switches and routers.

Automation changed the game. Today, technology such as software-defined networking allows IT teams to better manage and protect their networks and data, with less time and effort. Your information security team sets up the security architecture and manages the people and processes from a high level, while the computer handles small, repetitive tasks. Best of all, the machine can do this with 100% accuracy, eliminating the risk of human error.

The result? An IT team with the bandwidth to focus on solutions and strategy and, subsequently, a more meaningful position at the boardroom table. This is how information security teams raise their overall profile and gain the attention of senior-level leadership — not to mention further their own careers and make their own jobs easier.

Ultimately, information security's job is to protect the business and its mission. In today's threat-centric IT landscape, the dangers of not properly securing your infrastructure have become all too apparent. For today's IT professionals, there's never been a better time to stop absorbing the impact of business conversations and, instead, start influencing them.

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Greg Kushto joined Force 3 in 2014 and is the Vice President of Sales Engineering. In this role, he is responsible for creating comprehensive security solutions for Force 3's client base within both the public and private sector, and ensuring that customers properly align ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Chip Munk
50%
50%
Chip Munk,
User Rank: Strategist
11/4/2016 | 11:09:12 AM
Excellent Post
Sound advice for IT professionals who want to take the next step.
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32238
PUBLISHED: 2021-05-18
Epic Games / Psyonix Rocket League <=1.95 is affected by Buffer Overflow. Stack-based buffer overflow occurs when Rocket League handles UPK object files that can result in code execution and denial of service scenario.
CVE-2020-23851
PUBLISHED: 2021-05-18
A stack-based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at ffjpeg/src/jfif.c:513:28, which could cause a denial of service by submitting a malicious jpeg image.
CVE-2020-23852
PUBLISHED: 2021-05-18
A heap based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at ffjpeg/src/jfif.c (line 544 & line 545), which could cause a denial of service by submitting a malicious jpeg image.
CVE-2020-23856
PUBLISHED: 2021-05-18
Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, int line) function at src/parser.c, which could cause a denial of service via the pointer variable caller->callee.
CVE-2020-24026
PUBLISHED: 2021-05-18
TinyShop, a free and open source mall based on RageFrame2, has a stored XSS vulnerability that affects version 1.2.0. TinyShop allows XSS via the explain_first and again_explain parameters of the /evaluate/index.php page. The vulnerability may be exploited remotely, resulting in cross-site scripting...