Information has become a vital business asset in the digital age, and companies are taking notice. The trend has dramatically changed how companies approach data protection, and requires cooperation from the entire organization to ensure data security, said Nick Merker, an attorney with Ice Miller LLP.
In a series of video interviews from the 2015 ISSA International Conference in Chicago, SearchCompliance editor Ben Cole discussed this new business focus on building a "culture of security" with conference speakers and ISSA members. Here, Merker discusses how companies can show the business value of information security, and why everyone in the company must be involved in data protection.
The theme of this year's ISSA International Conference was 'building a culture of security.' How can companies do that, and foster a culture of security and make sure that security's embedded into all their business processes?
Nick Merker: I think there are two big concerns. The first is showing value. With security, often times security folks like to put up red tape, or say, 'We can't do that because ...' or, 'Here are my concerns, and this is why we can't move forward with that project.' I think you have to take a positive approach and show how information security is a competitive advantage, how it will mitigate risk associated with the company. Show value instead of putting up road blocks. Instead of saying, 'No,' say, 'Yes we can do that, but here's how we're going to do it.' The second thing is getting everybody involved. Have a top-down approach to information security that starts with executives and upper management, and flows down to the rest of the company. This includes not only people in information technology, but those in sales, marketing and legal. Everyone should be involved in security, and that has to come from the top.
Merker: It's funny because you are seeing old attacks and old vulnerabilities cropping up again because you have the new Internet of Things, products that companies want to get out as quickly as possible. Because they want to get out to the market quicker than the next company, they are experiencing password mismanagement, old website traversal issues or other things that have been around for a long, long time. Once we figure out how to maybe slow down these products and treat information security properly when it comes to the Internet of Things, it will lessen the impact.
Information security processes and procedures have become a big part of a successful business. How does that change the information security professionals' role? Are they getting more involved in business processes because it's become so important to company success?
Nick MerkerIce Miller LLP
Merker: Definitely so. I am a former systems network and security engineer who is now a lawyer. The role that I play is to sit between the general counsel's office, the compliance office, and the information technology and security folks and make sure everyone is communicating. If you go back five or 10 years there'd be an information security silo, usually within the information technology group. Nowadays, it's really about getting everyone together, working together and trying to do risk assessments for the entire company. You're seeing more folks like me, and more folks coming out of other areas of the business outside of information technology having a voice in this conversation.
How can companies make sure they're not getting complacent when it comes to information security processes and relying on old security strategies that just aren't going to work anymore? How can they make sure information security remains flexible?
Merker: Some companies employ what's called check-box security, where you have PCI DSS you have to comply with, or you have some set of standards you have to comply with, and somebody is walking around with a clipboard with a bunch of check-boxes: 'Do we have an information security program? Do we implement an IDS?' Then they check a box when they do those tasks. That isn't an approach that's going to win the day for you. It's really taking a risk assessment of the company: identifying where your risks are, ranking those risks, and then determining as a company how you want to mitigate those risks and what controls you want to implement to mitigate those risks. That's how you stay at the forefront, doing that repeatedly. And not just doing it once every five years, maybe doing it once a year. Some companies even do it once a quarter.
I've heard a lot in recent years about how important information sharing is between the public and private sector to protect against cybersecurity threats. Do you think it's a viable option right now?
Merker: Definitely. I'll just give you a quick example. Look at what we've done with encryption. You go back 10 years [and] encryption … was not completely proprietary, but there were a lot of encryption algorithms that were held as trade secrets by companies. There would be vulnerabilities in those algorithms, and a lot of them are dead. Now, pretty much every company is using some version of ADS. That's because the information security group came together and we developed this standard that works. That's one example that I think could be analogous to any other type of information security issue.