Security Think Tank: Secure collaboration not just about technology

The best approach is not technology-based, but involves building cross-functional teams both within and without the organisation, encouraging the pooling of knowledge and experience, supported by business management, and using technologies that help them work together.

Building a successful and secure collaborative environment requires clear direction from management about the behaviours of the team; information to be shared; and the role of security in the culture.

When choosing collaboration technologies, strike a balance between functionality, scalability and security. Buying a system on just one of these factors may lead to issues going forwards, as one or more of the factors may prove incapable of meeting future demands.

Cloud and mobile services can offer a mix of all three, and it is important that all the parties – such as business, IT, legal and security – meet to agree how the balance is to be struck, to plan for future demand, to cater for legal and regulatory obligations, and ultimately build the right architecture and environment that ensures the benefits of collaborative technologies can be maximised, while the risks of deliberate or accidental compromise of the confidentiality, integrity or availability of information are minimised.

Collaborative technologies will also require management in a technical context. Managers cannot assume that "IT will take care of it" and leave administrators to implement suitable controls to protect information and manage access by users. Additionally, managers cannot leave privileged users such as system administrators to work without supervision, or at least regularly review what those privileged users are doing.

Finally, thought must be given to capturing, sharing and securing the information created during the collaboration. Measures to securely archive, delete and access the information – perhaps over a period of years – should be put in place at the beginning of the collaboration and resources allocated to support their successful operation.

Adrian Davis is managing director EMEA for (ISC)²