Ransomware, data breaches or never before seen attacks can have tremendous impact on business operations. With growing executive demand for changes to cybersecurity processes and awareness comes inherent challenges to an organization. So how difficult is moving cyber initiatives forward?
We’ll explore the challenges around change management, shadow IT, technical debt, data enablement and IoT.
Information technology is hard. It’s even harder when you are trying to change the behaviors of people who don’t fully understand why change has to be made. On top of that, people don’t like it when you tell them how to use their phones. They don’t like changing their everyday lives for the sake of IT.
Some of the big reasons people don’t want to go along with the new security initiatives is a lack of understanding, conflicting initiatives or change fatigue.
Most organizations and employees aren’t equipped to manage and succeed in changing environments. Change fatigue being one thing most companies are feeling more recently, because of the emergence of the digital revolution. With IT spend increasing every year, every employee is impacted by the new purchases and new changes.
More often Directors and CISOs are focused on implementing the best security practices with the least impact to business operations. That’s where governance can ensure security strategies are aligned with business objectives and consistent with regulations.
Shadow IT buying is nothing new to IT teams but the reality is, it’s becoming more frequent. It refers to applications and infrastructure that are managed and utilized without the knowledge of the enterprise’s IT department.
How does procurement keep up with people’s expectations when people are used to Amazon-like services, next day delivery or instant access to servers? They can’t and until buying processes change for teams or new processes are put into place, people won’t stop.
Directors and managers do not and should not blame engineers that want to continue progress on their projects and certainly, don’t want to slow them down. One recommendation is to build a system to document concerns, dictate actions with governance controls and keep a running tab of the current status of devices.
What is technical debt? It’s a concept in software development that reflects the implied cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer.
How do teams keep up with new attacks given an inability to manage antiquated platforms and budgetary constraints? First practical step is to understand what instances are mission critical, which are in use and which are dormant.
Another appropriate step to take is recording the state of devices on an ongoing basis. When it’s time to communicate the risk of dealing with antiquated technology and reasoning for budget to improve systems, an accurate record of instances can be shown.
Deciding where and when to improve infrastructure is a risk conversation, where business continuity and operational risks are discussed with the CIO and the board.
DATA ENABLEMENT & IOT
There is so much to be said about IoT security and access to data… There hardly remains a room that doesn’t have some gadget connected to the internet, and while manufacturers work hard to keep up with security, the sprawl of potential vulnerable devices is simply overwhelming.
Here are some things to consider when developing an IoT security strategy:
- Where does the risk reside in the technology stack?
- How are you protecting yourself or ensuring security best practices at each technology provider?
- Are you working closely with your hardware manufacturer to address hardware security concerns?
- Have you considered isolating components – cores, memory, application, system and other resources – to add more barriers for a potential attacker?
- Are you using secure protocols to transmit data?
- Does your data engine solution encrypt data?
OPPORTUNITIES FOR moving cyber initiatives forward
- Build your network
- Strengthen internal relationships to build security champions
- Discover what’s out there – what’s critical and how to do it safely
- Launch educational efforts and communicate
- Take a risk based approach – prioritize efforts
To learn more about how ThirdPartyTrust can help you manage third-party risk, request your free trial now: