Security Analyst: “The marketing department wants to use Facebook.”
Security Manager: “Wow. Those marketing people and their far out demands. Tell them it’s banned from the network.”
Security Analyst: “They say they need it to help sell our stuff.”
Security Manager: “Tough. They will just have to find a workaround.”
The above really did happen – and that marketing department did find a workaround. For most of each day, the entire department would jump off the corporate network and on to the public Wi-Fi network at the Starbucks downstairs.
It is events like the one above that help to perpetuate the myth that achieving robust security or data protection can often be in conflict with prioritising the business need to be agile and responsive to market conditions.
The marketing department had to work slower due to the bandwidth restrictions on the free Wi-Fi and of course their method of working through a public Wi-Fi opened up their devices to all kinds of potential security intrusions and interceptions.
When I asked the security manager for the reasons that Facebook had been blocked, his reason had absolutely nothing to do with security. It was felt that employees should not be spending time on social networks – so they decided to block several popular websites that they thought were irrelevant to the business.
Of course, there was a section of the organisation that really did need to spend quite a bit of time on social media.
So here is my question is, do you think this organisation had a security department that knew how to effectively operate?
Global business technology association ISACA recently released its Better Tech Governance Is Better for Business Research. In the ISACA survey of 732 board members, C-suite executives, managers, and professionals, 90% agreed that better governance of technology led to improved business agility and improved economic outcomes.
One of the main governance principles for the delivery of appropriate security is that it must provide effective support for the business objectives and stakeholder needs of each enterprise. In the example above, that was clearly not the case.
But is improved governance over technology really the answer? And if so – just what is good governance? And just how can it help enterprises achieve a commercial edge over their competitors?
Is more governance over tech really the answer?
In the past 10 years, the role of technology has changed. Tech is no longer an assistant to help keep operations running – it is the backbone for all operations. Take away the tech, and there is unlikely to be an enterprise left to run.
Interruptions, intrusions and thefts from an enterprise’s tech are no longer just inconvenient, they are potentially life-threatening events to any business. Unauthorised intrusions, interruptions and data theft from technologies are also now the most major form of crime on the planet.
As I write this article, I am in the middle of updating a publication for ISACA on its COBIT 5 framework. For those of you who are not familiar with COBIT, it sets out a structured approach for how to govern, manage and operate information systems effectively.
When hackers look at an organisation, what they effectively look for are the gaps – those holes that people forgot about are potential vulnerabilities they can exploit for their own benefit. Even motivated insiders take the same approach. The only way to minimise the potential for those gaps to occur is by taking a comprehensive and structured approach to security and the protection of personal information.
In other words, you need sound tech governance to achieve a robust and comprehensive level of security.
What is good tech governance?
In the COBIT framework, good tech governance means establishing a comprehensive range of policies and procedures that help each enterprise deliver and operate their tech appropriately to achieve organisational goals and minimise risks.
We often have to ensure that people understand the difference between governance and management. Governance sets out the rules that an enterprise should follow – for example, the policies and procedures. Management are the people that help each enterprise operate within the rules that are put in place.
How can good tech governance achieve a commercial edge? Consider what would happen in two organisations, where one has a process for staff who want to try a new cloud service and the other has no process – or maybe even an outright ban.
The organisation without a process:
- Any use of unsanctioned and external technology is likely to go undetected, until or unless it results in a security incident.
- The information used is likely to be at much higher risk of an incident because there was no security guidance (perhaps except for ‘don’t do it’). \
- Any information of value is unlikely to be connected back into the organisation – so the information value is not optimized.
The overall result is that the absence of any process resulted in higher risk, lower security and less business value.
The organisation with a process:
- The people within the enterprise actively help identify new tech opportunities and do not feel like they have to hide opportunities.
- An enterprise-level understanding of the ever-evolving tech needs can be maintained. People within the enterprise can flag if or when there is new tech or a tech gap that needs to be addressed.
- Each technology that is used can be secured because the tech is identified up front.
- Any information of value can be connected and directed back into the appropriate part of the enterprise to ensure that the value is optimised.
So, my conclusion is this: The enterprises that are agile and responsive to their business needs are the same ones that really know how to achieve robust security and data privacy efficiently. They achieve it through good tech governance.
Robust but efficient security and data protection processes help businesses boom.
Raef Meeuwisse, CISM, CISA, Author and ISACA expert on governance
Image Credit: NakoPhotography / Shutterstock