A few weeks back, I supported a security summit as the master of ceremonies. It’s been quite a while since I’ve been to a conference so I was soaking in the content between introducing great speakers and spruiking about feedback forms.
The presenters and panellists generously shared their experience and recommended activities that have worked for them. But, for me, what I also found thought provoking was what came after the presentations.... While scratching down notes during the Q&A sections, it occurred to me that I had heard a lot of this before. This is no slight on the presenters at all, more a concern that most of the questions related to challenges that could be grouped into three themes that, to be honest, have been flagged for years and yet have persisted. These three themes were: no-one senior is taking accountability for security, security is being brought into project discussions at the 11th hour, and an ‘it won’t happen to me culture’ leading to a lack of effective incident response capability.’
These challenges can be overcome. The answer lies somewhat in removing fear-based messaging and focussing on how secure solutions add value to the bottom line. Is it time to accept that the business is not going to automatically think about us when they are starting up new initiatives and instead, build strong relationships across the business to make security front of mind when project sponsors are discussing the pipeline of work? And the ‘it won’t happen to us’ culture is perfectly normal given security is often treated as simply a risk to be mitigated rather than worrying about how to respond when the risk is realised.
A lot of committed security professionals and CIO’s in the audience sat nodding heads empathetically to both the questions and the answers. Getting together to share ways of tackling these challenges is important. But we need to take action so we are not still talking about (and addressing) these same challenges for years to come.
What are you doing to combat these security challenges within your organisation?