Q&A
Tackling the C-Suite Security Barrier
Data security's biggest threat might not come from outside attackers, but from management getting in the way.
Securing C-suite support for IT initiatives is crucial yet often challenging, even when it comes to security. Sometimes the bottom line beats out properly securing your data.
To gain insight into these challenges and explore strategies for bridging the gap between leadership, IT teams and end users, we spoke with Steve LaBeau, a seasoned professional with over two decades of experience in the banking industry. In this Q&A, LaBeau shares his perspective on the key obstacles to securing executive buy-in, the risks of misalignment between leadership and IT and the impact of remote work on security strategies.
He'll also be diving deeper into how to bridge the IT and C-suite disconnect when he's joined by Microsoft MVP Émile Cabot at their Live!360 session, "Security is Not Meant To Be a Matter of Convenience," this November in Orlando, Fla. If you haven't made plans to join us, register today (and save $500 by registering before Aug. 16) to take part in this and many more insightful talks at this year's Live!360.
Redmond: In your experience, what's the biggest roadblock to getting C-suite support for IT's security efforts? Is it money, red tape, resistance to new procedures or something else?
LaBeau: From my 23 years of experience in the banking industry, the primary C-suite support challenges from my perspective are the independent software vendors (ISVs) that partner with banking institutions still code in sometimes well-end-of-life (EOL) and less-secure programming platforms or modules. I believe these large ISVs would have to rewrite their programs to accommodate the newer, more secure programming elements and techniques. ISVs appear reluctant to spend the money for a rewrite and are too large of an organization to plan, orchestrate, and efficiently execute a rewrite effectively.
This is all related to C-suite support challenges in that their focus is on running the institution and the balance sheet. Therefore, although C-level management would like more secure solutions, it is the balance sheet which keeps them in their position and the banking institution afloat – with security being an afterthought.
What do organizations risk when there's little (or zero) alignment between leadership and IT?
Security, efficiency and effective collaborations for problem-solving.
How about end users? How should IT teams approach their organizations' end users to make sure they're on the same security page as the technical and leadership teams?
A documented companywide security doctrine defining a unified approach to security policies would do a lot to make a more secure environment. This company mandate should require that each employee read and sign (digital signatures) the document as recognition and accountability that it has been read and is understood.
Development of a company security beneficial suggestions exchange is also key. This may be a SharePoint Site, Teams Site or other media vehicle which permits the free interaction of ideas to improve and strengthen security.
Finally, end-user training should include short, concise updates and refreshers when practical. This will help to introduce new or changed processes and procedures or merely keep the masses on-track.
What has been the impact of remote/hybrid work on how IT teams approach security?
With the proper auditing and security measures in place, the impact should be seamless. In fact, one could make a case that being remote takes away the physical risk. This means that being onsite can introduce temptations of access and control of physical devices other than one's own company-issued laptop or device.
How big of a disruptor will AI be to organizations' security strategies? How can IT teams and leadership prepare now for what AI will bring?
When it comes to AI and security, my initial tendency is to align with my military background and training: users must have the "need to know."
Follow a tailored "Role-base Access Control (RBAC)" type access to the AI toolsets. Not all users will require access to AI.
The introduction of AI to the user community should be aligned with their job descriptions, if possible. Why? Because one cannot "assume" that the answers of AI are pure and correct. The user must be well versed enough in the subject matter (being AI queries) to challenge and validate the replies of AI. Once AI vetting and validations have occurred, a responsible direction can be defined to go forward with the AI results as necessary.
This may come across as strict, but as we get deeper and deeper into our relationship with AI, it may be best to begin with a structured, audited approach versus an ad-lib maiden voyage, where orgs might need to pull back on the reins later.