Brian Shorten emphasises the importance of getting to know people inside and outside your organisation in order to tackle information security issues.
In my opinion the term ‘information security’ covers a wide range of topics, including compliance with the Data Protection Act, securing debit / credit card details, website security, network security, giving advice to departments and aspects of business continuity / disaster recovery.
Many organisations are large enough to have a dedicated person or team managing Information security; I worked for one company which had a security department of 80 people, with several people responsible for each of these topics and more.
Other organisations are restricted to one person – maybe combining security with other aspects of IT.
Whatever the size of the security team, there is a safe bet that there will be areas of ignorance; no-one can know everything about a subject, particularly when the business itself puts extra emphasis on different topics.
Sharing research
For example, most businesses would take steps to prevent the sharing or leakage of all information. My own organisation exists to fund research, which is based around sharing information; you can’t do research in isolation. So our steps are to ensure we own the information being shared.
I found the idea of sharing rather than securing information confusing until I sat down with lab heads and found out about how research is managed.
This process of talking to the business is important; you need to find what the company does and how it does it; without that knowledge you cannot do your job completely.
And once you have made that first contact, continue it so your contacts in the company can keep you aware of upcoming changes which need your input and will impact on what you do, and also learn about how good security can add value to what they do.
Suppose the company is launching a new service at the end of the year; a warning from your contact three months ahead of the official launch is well worth a regular pub lunch in my opinion!
Looking farther afield
Making yourself known in the company at all levels pays dividends in getting the security message out and knowing what is happening, but there comes a time when you reach the end of your knowledge and experience; for example you need to know how other companies handle a specific issue – say staff use of social network sites, or how good a piece of software actually is compared with what the suppliers website says. And what if you know nothing about PCI but are now responsible for it?
In these cases you need to reach outside your company to others for help.
Sometimes making these connections is easy; there are many networking groups based around the main industries – for example banking, telecoms, insurance. These are perfect for discussions and advice.
I’ll also make a brief mention here for the Charities Security Forum, which has been filling this gap for charities since 2007.
When you have made a contact for a specific issue, maintain the relationship and add others with different knowledge and expertise; when others ask you for advise – and they will as no-one knows everything – make a point of responding as your contribution to the process.
Maybe you can be a mentor to someone who lacks your skill with a firewall while being mentored by someone who has more experience with audits and business continuity.
I can highly recommend the process of working with other others in this way to share best practice on security.
Brian Shorten is BCP, risk and security manager at Cancer Research UK and chair of the Charities Security Forum
