Building a defensible security program means striking a balance between the need to run a company and the need to secure it
Until every data asset within a company has a designated owner, technology governance is broken.
That’s been a guiding principle for Steve Hundley in the last eight years he’s been driving strategic IT security at Chicago-based rail-industry leader TTX.
“We need to start treating data like money,” he said, adding that successful governance policies are developed gradually as part of a larger, overall shift in company culture.
The potential competitive advantages offered by the Internet of Things, artificial intelligence and machine learning are exciting, but deploying any of those technologies simply for the sake of doing so is a distraction to corporate goals.
Cybersecurity threats in the workplace and privacy challenges for consumers at home are symptomatic of a breakdown in corporate governance and ethical decision making. A defensible security program – one in which you can prove you did what you said you were going to do – requires striking a balance between reducing risky behaviors while continuing to move forward and remain relevant.
Engage End Users for Successful Compliance
Like most information security teams embedded in midmarket companies, Hundley admits he has more to do than he has time to address. Within IT, risk management is much more tactical, and every team member shoulders the responsibility for the company’s overall security posture.
A key first step is putting together a Planning and Governance board comprised of VPs and line of business leaders as well as governance committee of representatives from support organizations like finance, HR and legal to help drive the company’s corporate governance guidelines.
“Don’t write policies around which you can’t immediately comply,” Hundley suggested.
Understanding how each business unit operates on a day-to-day basis as well as the unique challenges they tackle in order to do their jobs is also vital to developing policies that will stick.
A railroad yard worker’s uniform includes heavy duty gloves that would make multi-factor authentication on mobile devices all but impossible, so where some employee access is device-restricted, TTX is currently partnered with market leader Duo Security to deploy across the organization – where it makes sense.
Restoring broken governance policies requires a logical, step-by-step approach that includes heat maps and a realistic timeline to shore up gaps, or as Hundley likes to call them – risk opportunities.