“The reason really excellent sports cars have really excellent brakes is so that they can go faster.”
That little piece of counterintuitive wisdom comes from Jack Danahy, senior vice president for security at AlertLogic, one of AVANT’s key partners in the IT security space.
Jack and I were talking about the fast-moving and often-complex world of keeping customer data safe. Many professionals have historically viewed security as a money pit that adds nothing to the bottom line, but lately Jack has seen a different paradigm emerging.
“What we’ve been seeing over the last few years is that forward-thinking organizations have great plans for how to take advantage of the cloud or some new applications,” he said. “They actually begin to see security as an enabler of a new kind of business. In some cases, security is like insurance, but there are many things that companies want to do, such as pervasive interconnectivity with their users and open relationships with partners, that make this level of security important.”
In other words, some of the things that forward-looking companies want to do are things they would not DARE to do without the proper security mechanisms in place to give them confidence in the safety of their data. Just like putting good brakes on a sports car, the enhanced security actually enables the “driver” to get more out of their IT infrastructure and to do that without making major tradeoffs on safety.
This is a far cry from earlier days when IT decision makers falsely presumed that if nothing bad had happened yet, there was no need to spend much money.
“These days we have to do far less of an introductory conversation to teach them why they’re vulnerable because they’ve had their own experiences or read the news and understand that threats are all around them,” he said. “But too often, organizations will take a look at their environment, and will immediately jump towards a system through which they can provide more protection around that single resource that they deem most important. What happens is that the attack community is just looking for a machine that’s vulnerable. Sometimes it’s not even the critical machine, but the user of a different machine has access to that critical service. They need to take a comprehensive look at their environment and what connects to what.”
The next step is to develop your plan and then socialize that plan with others in the company who might share the risk. Maybe the finance people, for example, decide they have a role to play because the integrity of the financial system may be impacted if the system has a breach. By talking proactively about this, you can get more of the company to see their role in supporting security. By taking a team-oriented approach to IT security, consensus can be built, and much can be accomplished.
On the other hand, the dynamic nature of the threats and the complexity around those threats can often lead customers to feel confused. So, don’t feel like effective security is beyond your reach, even if your internal team does not include people with security expertise. Your Trusted Advisor has the necessary expertise or, if they don’t, they can bring the right people to the table.