Maksim Kabakou - Fotolia
Security, and specifically IT security, has for a long time been viewed as a bottom-line cost and therefore something to be minimised. But is it a bottom-line cost? Has a risk analysis of the company’s business been done and did it take IT security into account? Has a benefits analysis been done?
In a typical large enterprise, there is generally no argument over the cost of the benefits packages given to senior sales staff. It is seen as a cost of doing business. But these views are out of step with the current reality where the internet has become the major highway connecting companies to their customers and clients.
Infosec is critically important, given that databases are increasingly at the core of many business operations. What is held in these databases is sensitive and critical data covering areas such as personal details (staff, contractors, customers, subscribers), financial information (accounts, budgets, salaries, sales and purchase ledgers), asset information (hardware, software, licences, real estate) and project data (resources, GANNT and PERT chart data, budgets).
A company’s data architect, or database architect, needs to work hand-in-glove with the company’s information security and IT professionals to ensure that the data held in various databases is protected to a level appropriate to an agreed risk profile, to ensure that good levels of IT/cyber security are in place that support, but do not hinder, business goals.
It goes without saying that an information security champion on a company’s board will help immensely in achieving these goals, although a board should also have a champion who has an understanding of databases and virtualised computing (could be the same champion).
However, creating and maintaining close working relationships with other areas of a company is vital because it should ensure that projects – be they information security, database or IT Infrastructure – are complementary to, and/or effectively support other groups, projects or systems.
Some of those vital working relationships will include:
- The company’s business groups – they “own” the data.
- Development groups – they design and build the infrastructure and systems that run a company.
- Operational management – they “run” the infrastructure and systems.
- Change management – changes are necessary and reviewed and approved by infosec and other groups impacted by a change.
- Compliance – finance, regulatory, contractual and including the Data Protection Act 2018 and the EU General Data Protection Regulation.
- Third-party IT service suppliers – Amazon Web Services, Azure, Google and so on, application service suppliers, their partners and others.
The close relationships between IT/cyber security and data architects with the groups identified must ensure that security is fully enrolled into any project at the very earliest stage of inception and is included in the budgetary processes.
Databases, too, have often been implemented without a full and deep understanding of the security implications. For example, if a web front-end does not do an effective job of boundary checking of data input from an end-user, a database could be subject to SQL injection and other hacks.
For too long, IT/cyber security has been an afterthought and often an expensive afterthought.