Very few companies are able to prosper without co-operation with business partners and suppliers.
The key element of these relationships is trust – trust that the other party will do what has been agreed, and will do it in a mutually beneficial way. This cannot be achieved without communication, data exchange and collaboration.
This an opportunity for CISOs to change the reputation of being “a control department” and become “an enabling partner”.
They should be proactive and show the business executives that it is possible to effectively collaborate with partners in a secure way.
The key success factor, however, is how seamless the process and tools for collaboration are. No one wants cumbersome processes just to share a file with an external partner. If this is what the CISO delivers, users will find ways around these security controls, effectively making security investment worthless.
What CISOs and security architects need to do is deliver controls that are both secure and seamless or, at the very minimum, easy to use.
More from the Security Think Tank on secure collaboration
This is an area where controls as close to the actual data as possible work best. While the traditional approach was to connect the networks over VPN, effectively connecting two hard-edge/soft-core networks, the data-centric approach best matches today’s way of remote working, cloud explosion and proliferation of multiple devices that access the data.
Indeed, rethinking security strategies, supported by technological advances, protocol standardisation and a boom of the usable and secure cloud services, have made the data-centric strategies possible.
So what data-centric controls are available right now for CISOs and security architects?
- Data classification tools for adding metadata to the data objects allows for other security technologies to make decisions about what the appropriate level of protection is. This is a key element for any data security strategy.
- Digital/document rights management (DRM) delivers encryption of the data content. New versions of applications support data lifecycle with DRM protected content. CISOs need to know what applications are going to be used for collaboration.
- The standardisation in identity and access management allows companies to grant access to its resources (such as DRM-protected files) to users of their partners. This is a very powerful message for users, delivering seamless single sign-on to resources.
- Data leakage protection/detection tools can analyse the metadata/tags and ensure the information security classification policy is adhered to; for example, encrypting a sensitive Word document before it is sent to a recipient.
This is just a selection of the most prominent examples. The data-centric architecture requires rethinking traditional security and IT strategies. However, it is a worthwhile exercise to regain lost business trust in security leadership.
Vladimir Jirasek is managing director of Jirasek Consulting Services.