Security Think Tank: Security is a business, not an IT function

For information security professionals, collaborating with data architects ought to be an absolute imperative, and done well, has many benefits.

Collaboration that is outcome-based and business-centric is an ideal combination. In a perfect world, the security team could design how they want systems and assets set up, they could control the moving parts and it would all work seamlessly for the business. There may be occasions where this happens, but in general, we can all accept, it doesn’t.

Any business needs to structure its assets in a way that makes sense for the users and brings the best, most cost-effective results. A close working relationship with the data architects takes security several steps closer to helping embed security as well as start to move the perception of security as a business function and not an IT one.

Being aligned and collaborating with data architects means that appropriate controls can be built in, using the structure, instead of working against it to create “Fortress Solitude”. This means that users will get a better and more secure experience and are less likely to start behaving riskily by building shadow IT, sending work to insecure destinations or devices in order to do their jobs or some other equally infosec nightmare-inducing behaviours. 

There is also the added benefit of drawing the information security team closer to the business and to leadership, enabling them to fully identify and understand the business objectives, and in turn to then design security controls that are proportionate, pragmatic and business-supportive.

This means that security strategy and architecture is aligned with business objectives, and these then get baked in to architecture as a whole. It also stands a much better chance of being proportionate and pragmatic as well as moving with the architecture as changes happen, rather than being a fixed or forced overlay.

However – as is so often the case in areas of information management, data protection and records management, there is a tendency by the organisation to then expect these roles to work miracles.  The truth is that no single individual can truly understand all of an organisation’s information consumption needs without significant input from the business itself.

This is where having embedded and effective information asset ownership pays dividends. Requiring the business areas to be responsible for identifying what information collection, consumption, exploitation, sharing, retention and deletion needs they have, can contribute hugely to the success of the data architect and the information security functions.

With effective use of an information asset register, infosec teams, data architects and information asset owners can work together, shaping not only use of information assets and their protection but also forming an evolving structure; aware of its moving parts and focused on meeting business objectives.

The success or otherwise of this is going to rely on a wholescale change of culture. At a leadership level there must be an understanding that IT architecture alone cannot meet the businesses requirements.

At an IT level, an understanding that they do not govern, but they are there to advise, to guide, and more importantly, to enable. Finally, at a business level, that the information is a valuable business asset and one for which, as leaders within an organisation, they remain accountable and responsible for.

As Aristotle once said (and he knew a thing or two): “The whole is greater than the sum of its parts.” Never has this been truer that in today’s evolving infosec threat landscape.