Data Security is one of the most important responsibilities of the management at your organization. If it fails you will know about it and you will feel the pain. Are you doing everything in your power and within your knowledge to prevent the next security attack? IProbably not and this is not a knock against you or your team. But simply put the IT department will not protect you. The simple fact is most people do not know what to do about data security in this wild west environment we live in. The common and often mistaken wisdom is IT will take care of that. They are responsible for our data security.
This is the same as the security guard in the lobby of the bank being responsible for the security of your money. If he was you would not keep your money there. Or the same as saying that the security sentries posted around a military base are responsible for the security of a military base. Yes, they are involved in security but they are not responsible for the overall security of the bank or the military base.
The management is. In the case of the bank it is going to be a C-level person at the corporate headquarters, for a military base it is the CO or commanding officer’s responsibility. Why is that? Because if a security guard went over to the bank tellers and told them they were handling the money in an insecure way they would not listen to him. If the security sentry at a military base went into the radar operator and told them to sweep their radar further out on the perimeter. They would not listen to him. Because these low-level people have no authority.
If Not IT Then Who?
The folks in your IT department have a job. It is a productivity and maintenance job, sometimes a little bit of development. And it is busy. They are fighting fires and dealing with failed or underperforming systems all day long. They are not experts in security, for the most part. Now if you are a Fortune 100 defense contractor with billions in government contracts. You have an entire security department that is an overlay to your regular IT department. Yes, they can help protect you. They are well versed in security and they have the authority to influence policy for the overall security posture of the company. That is a totally different function. Most companies, on the other hand, do not have this resource.
Usually, it is a hodgepodge of different people working part time at data security. You maybe have a security contractor you call in time of crisis. But there is not coherent policy level function to specifically deal with cyber security. But let me tell you who is making security their top priority. The hackers, yes the bad guys. They know that security or the exploitation of security is their primary function and they don’t let it become an afterthought. They are working at it 24×7 every day probing, pushing, testing, improving, searching for new talent to find better and more sophisticated and persistent ways to get into your data.
Security Is Not An IT Problem:
It is a policy level problem that sometimes uses IT to deal with it. A major security breach at your organization will involve every member of your senior management . But relying on your IT to protect you will only lead to more attacks. And at that point, it will become very painful. The goal is to get management involved before the next security attack before you have the attack. It is much less painful that way. There are two ways to deal with this critical issue, preventive with policy level solutions. Or reactive.