Organizations have a rather funny and paradoxical relationship with IT security. Basically, nobody really wants to dedicate resources to their security needs until something bad happens. I think a big part of the challenge is that the notion of IT security can leave business decision makers feeling a little overwhelmed, especially when faced with the ever-expanding market of IT solutions designed to address different and varied aspects of security.
Here’s what you should know: your security strategy and plan should be based on the specific compliance requirements that apply to your organization. “Security for the sake of security” — that is, a generalized approach to protecting your systems and data — is not a wise or sufficient approach, because it won’t serve your specific, identified business needs. In addition, you want to ensure compliance with key laws and regulations that affect you.
For instance, if you are a financial services company, you’ll need to pay attention to the Payment Card Industry (PCI) Data Security Standard (DSS). Healthcare companies, on the other hand, will need to focus on the Health Insurance Portability and Accountability Act (HIPAA) requirements concerning patient data. Regionally or by country, organizations will also need to answer to Privacy Compliance for Personally Identifiable Information (PII).
The best way to ensure that you are in compliance is to put Internal and external assessments into place for verification and validation. Many business owners and executive boards will not like the new cost line items of these activities at first, but this is the new and necessary world of IT security. In the old world, you had to buy and mount regulation fire extinguishers and meet other fire code requirements in your office building before the fire marshal would even allow your staff to enter. Just think of privacy compliance and IT security as the digital world’s equivalent.
When it comes to creating an IT security framework, you don’t need to reinvent the wheel. There are a number of external standards and frameworks you can use in order to account for the most common and prevalent risks. As long as you fully understand the type of data you store and process, you can use existing frameworks to provide the necessary protection and security.
And of course, the person in charge of IT security at your company will be (or should be) familiar with these standards and frameworks. There should be a defined person (or team) within your company that is responsible for systems and data protection and security. It’s critical that this IT point person or team is kept separate from the rest of your IT operations – that is, that he or she is not the person who designs, builds, or implements your systems, technologies, or processes.
This will require in the minimum a list of capable people: decision makers and action takers. The decision makers should focus on the bigger picture of the business, legal responsibility, accountability, and liability, while the action takers should follow the directions set by the decision makers and provide Subject Matter Expertise (SME). This is to help ensure that the technology is enabling the business first and foremost, not the other way around (as happens in many of today’s organizations trying to leverage technology).
A risk-based approach to IT security is the key to achieving any real success to delivering privacy compliance and security in the modern business and IT landscape. This will empower you to get ahead of any issues or problems before they happen by building safer processes and safety nets. Otherwise, you are relying on a reactive-only approach, which I think is obviously not an ideal one. Applying an ongoing risk management program for your organization will create the necessary paradigm shift and should include things like continuous assessment, analysis, improvement, and validation.