Industries are transforming with the help of digital technologies and IT, and as competition increases across almost every industry, the pressure to digitally transform also intensifies. However, many companies start this process without thinking through all the potential ramifications. After all, there are numerous shifting pieces that organizations must consider as they move towards digital transformation; perhaps the most crucial piece to consider is data security.
Data is increasingly being stored in the cloud and third-party business partners are continuing to need digital access to that data. Failing to keep data security at the forefront of the priority list could result in a breach. Whether you are in IT or are a business professional who is responsible for business continuity, digitization or strategies, you need to be able to ask yourself questions to ensure your digital security efforts align with your business strategy.
Therefore, we believe that every security and IT professional should be asking themselves the following questions:
- Is your company’s security practice enhancing your business practices or restricting it? It’s important to know because this can mean the difference between productivity and profit and seeing your business grind to a halt despite your best intentions. How can you figure it out? Find out by reading: 5 Ways to be sure you’re not over- or under-solving for security.
- Do you have buy-in from all your employees and executives? In other words, do you have a positive business and security culture? The answer to this will determine what road you need to go down and if you need to work on buy-in before you can address larger issues. Education is an excellent way to resolve any issues here. An outsider’s counsel from someone like a trusted advisor can also be helpful because sometimes, employees will tell execs about a viable solution, but they don’t buy-in until an outside source tells them the same thing. (We agree that it’s unfair!) If you don't have buy-in, you are wasting almost all of your other efforts; if employees don't understand and value a practice such as the security control, they will find ways around it, will ignore it, or not use it properly.
- Do you know your company’s security rating? If not, you should find out. A security rating is important; just as a bank is going to be hesitant to issue a loan or an insurance company is going to raise your rates if you have bad credit, a bad security rating will make companies hesitant about doing business with you. It’s imperative you look up your security rating and take it seriously. You may find things you didn’t know about or things you need to correct.
- On that note, are you holding your suppliers and partners to the same or better standards than you hold for yourself? If you don't expect your suppliers and your partners and whatever other organizations you interact with to adhere to standards that are equal or better to standards that you have, then you've opened up the door to vulnerability.
For example, the Target breach in 2014 occurred because a vendor was compromised due to lack of a proper malware system. In hindsight, Target would have benefited from vendor requirements. The security rating we mentioned above? It’s also important to check that on your vendors and partners to ensure nothing like this happens to you.
- Do you have a plan if something happens? Gather your team and create tabletop exercise where you run through possible scenarios. Determine who would respond if these scenarios actually occurred, what announcement would be made to the press, and what the possible liabilities and risks could be so you can map out an internal plan. Use this as a starting point and meet regularly from there. Getting this seed planted and starting the thought process is one of the most crucial steps.
These questions are an important starting point for building a security ecosystem and should help you build a solid foundation. If you’d like help developing a truly comprehensive security awareness program, please contact us.