It is nearly impossible to pick up the morning newspaper or go online and not be confronted by another story about the emerging saga of Hillary Clinton’s email scandal. While of course, much of the dialogue is politically based, there are deeper lessons to be learned here as the situation is really a common occurrence in the business world and as we now see, in the public sector as well. Whether Hillary’s actions were legal or illegal is a matter for the FBI, the Department of Justice, and ultimately the courts and public opinion to decide. There are however a very basic cybersecurity lesson to be learned from the events.
Any true security professional understands that business alignment is essential for any security program. If business alignment is not present, then the security program is not meeting the needs and requirements of the business. Without business alignment, the security program is ineffective and will likely lead to poor adoption.
Reading Fox News this morning, two points jumped out at me. First was the described incident where Hillary Clinton instructed an aide to strip a document of any classified markings, and send it digitally instead of using a secure fax. Secondly, the event where Clinton, unable to establish a secure phone connection, instructed another aide to simply call her on the insecure home phone. What really happened here?
What happened is that the controls and technology put in place to secure critical information assets failed. What happens when failures hinder productivity and the seamless conduct of business? Employees create workarounds, bypassing the security measures in order to continue working and accomplish their tasks. Not only does this happen in government, it is a common theme in the private sector as well and includes as well broader concerns such as shadow IT. Security programs fail without business alignment.
In past experience managing a team of security professionals supporting customers in a managed services environment, I’ve witnessed this as well. The team encountered an IT department bent on unilateral security measures which often rendered it impossible to perform tasks and service customers. Between the frequent outages, unavailability, and controls which quadrupled the time it took to complete even simple tasks, frustrations ran high. What happened? Well, the team of security engineers were a bit more advanced than their counterparts in IT, and simply engineered solutions around the technical roadblocks imposed by IT. Again, a case where security programs fail without business alignment.
Eventually, the FBI and the justice system will determine whether what Hillary did was right or wrong, we can understand the likely reasons why, and the lesson for us in the cybersecurity world is that if we want our security program to succeed, we need to achieve business alignment.
Does anyone have any thoughts or experiences to share on achieving business alignment? From the perspective of a business owner or manager, what do you expect from your security team when aligning with your core business needs? Please leave a comment