Shared responsibility draws out the best of both parties
By Tallen Harmsen, head of cyber security at IndigoCube
As far back as 2014 Gartner was already talking about the tension between businesspeople and IT personnel over the use of cloud applications and services. It’s almost a non-issue for many enterprises today. Cloud is ubiquitous.
The hiccup is that it can leave a wide open security chasm right where enterprises don’t need it.
There are strong arguments why businesspeople should be able to spin up their own use of cloud apps and services and just as quickly spin them down again. For one, it’s quick. For another, it serves the business goals.
But business people aren’t typically skilled IT users so they don’t necessarily know how to ensure that the data they push to, consume in, and retrieve from the cloud is secured. The apps and services themselves may well be. All of the big cloud providers have ample security around their ecosystems.
But, even so, there can be nuance to how they treat customer data. Some include the data in their service; others don’t. It’s all there in black and white for people to see but who honestly reads the terms and conditions when they sign up for one of these services? Few people have time for it.
Reading the terms and conditions and being absolutely sure about what’s secured and what’s not is no longer something people can shrug their shoulders at and claim they didn’t know.
In the old days a techie somewhere in the basement would get fired if something went badly wrong. But responsibility now lies elsewhere.
Data security is increasingly the domain of the people who create, use, move, change, and delete it. That is seldom the IT administrators.
In today’s environments of elastic network borders and widespread access for a multitude of devices it can be almost impossible for the IT department to secure the corporate systems and data on its own. It’s too easy for people to create a system and populate it with data.
And, even though cloud services make using enterprise business systems and services a lot easier, that simplicity of use hasn’t yet filtered down into securing the data in this fluid world.
There needs to be a unity of skills and knowledge applied to securing the data, systems, apps, and devices by both businesspeople and IT.
They should regularly re-certifying the data. It ensures that people have visibility into what data exists, who accesses it, which systems access it, and they get the opportunity to update privileges. They can approve and observe workflows, which means they are included in the decision-making process. File activity monitoring gives them important insight into high-risk behaviours by the data users.
It’s a better than playing a blame game, businesspeople claiming they read the security policy document and IT claiming businesspeople never played their role. At the end of the day the business loses and so do some of the employees.
Empowering people to be responsible provides positive outcomes and responsive solutions.