This article can also be found in the Premium Editorial Download "Computer Weekly: The case for a European cloud market."
Download it now to read this article plus other related content.
One of the key roles that IT security plays is in facilitating the sharing of knowledge and information.
At Grafton Group, we strive for excellent customer service, and this can only be achieved by all parts of the business contributing to our goal - including information security.
It is good to see the industry recognising that a shift has taken place in information security, understanding that it has become a vital enabler within any business it serves.
But this can only happen when we as security professionals accept that information security is not at the centre of everyone’s world in our organisations. In fact, it’s frequently very far from their thoughts.
So, appreciating this, how can we help our businesses to protect themselves against the loss or theft of data without interrupting or interfering with their daily activities?
The first step is to remind yourselves of the primary business function that your organisation performs on behalf of its customers. In Grafton Group’s case, that is providing first-class customer service to the building trade - Grafton is the third largest builders’ merchant in the UK. In its most basic form, our service to our customers is to ensure we have in stock the items they need, at the best price, delivered on time by excellent customer-facing colleagues.
Read more on information security awareness
- The security education dilemma
- Education and skills key to cyber security, says (ISC)2
- Business context still missing from context-aware security
- Awareness training not enough, says security researcher
- Threat knowledge is key to cyber security, say experts
- Security considerations for UK enterprises
- Top cyber threats underline need for security awareness
So how do we achieve it? Information security has to be the part of the business that acts as the conduit or balancing mechanism between paranoia and anarchy.
Paranoia and anarchy
We all have in our organisations the two extremes – some who want to fully encrypt and have three levels of authentication to access public domain information, through to those who are prepared to share via social media the latest merger and acquisition plans. It is our expert knowledge and experience that enables us to assess the credible threats specific to our businesses’ information and data, and therefore apply the appropriate controls to protect it.
Through this process, we gain credibility in the organisation - both that we understand the business needs and are prepared to take a pragmatic approach without compromising the information of which we are the custodians.
Education, education, education
To coin a phrase – but it’s true – it is all about the education of our colleagues. We often talk about the tripartite relationship between people, process and technology.
The journey to maturity normally progresses along the lines of an acceptance by the business that it is handling some information that is sensitive or confidential. The first step is to introduce technology to protect that information and the business. There comes a time of “technology saturation”, at which point a number of security processes and procedures are introduced to the organisation. There then comes an optimisation phase where the technology is balanced against the processes.
What do I mean by this? If the technology is configured correctly, it is a binary process. In other words, it either works or it doesn’t. Equally, if the processes are honed to their optimum and if everybody sticks rigidly to them, then again they are fairly binary in that they will produce the same outcome every time.
Most colleagues do not bypass security controls for the sake of it – they generally do so to get the job done
The unfortunate outcome of both of these sets of controls is that they are viewed by the business as blockers to conducting everyday activities. This is often where IT gets the unfortunate name of “sales prevention”.
Get the job done
So, following the theme of people, process and technology, the only area in which to make any real gains is the people. If we educate our staff about the reasons why we have to protect sensitive data, why we must not write down and store credit card data, and so on, then generally they will be supportive.
Most colleagues do not bypass security controls for the sake of it - they generally do so to get the job done. So educate your colleagues, bring them along with you on the security development journey and you will find a willingness to work with you in protecting data and ensuring information security is at the forefront of their minds – as well as yours.
Wayne Pownall (pictured) is group information security and data protection manager at Grafton Group, and a member of the Corporate IT Forum. Through its Real IT Awards "Security as an Enabler" category, the Corporate IT Forum recognises that security can act as an enabler for businesses.
This was first published in May 2014