Exploring the vital, but often missing, link between Business Process Owners and IT - Kelly Webber, Senior Manager IT Security Consultant
I always dread when I'm asked what I do for a living. I think it’s because often when I tell people that I'm an IT Security Consultant the conversation immediately turns to securing networks, firewalls, and infrastructure. Which, to be fair, is IT security - but it is not what I do. I was curious one day and asked my 13-year-old daughter what she thinks my career is, and her response was “I have no idea, but it seems like a lot of data and extremely boring.” Which, honestly, is more along the lines of what my day-to-day job actually looks like.
As a security professional with expertise in access governance, application security, data security & compliance (what a mouthful!), I do deal with data, a lot of data: user IDs, email addresses, positions, organizational levels, business partners, roles, authorizations, sensitive fields, critical authorizations, data matrices, ITGCs, mitigating controls, control frameworks, and so on and so on.
During the last ten years of my career, around 90% of my clients cannot answer these two simple questions:
Who has access to what data?
Why do they have access to that data?
Even more worrying, business process owners cannot answer if there are data inconsistencies across their applications and systems. What happens when these organizations are now subject to new data regulations that require them to answer these questions within 24 hours or be slapped with massive fines? The answer to this problem is urgent, not only because organizations are becoming more digitally complex, but also because data privacy and security regulations are quickly becoming a reality for businesses! Organizations that successfully navigate these regulations will be proactive in defining and documenting where their data exists, who has access to that data, and how they can secure the data from being compromised. But how? What does security have to do with it?
This year’s RSA Conference theme was “Stronger Together” and I was delighted to see it, as this approach is critical for security professionals when organizations ask them to advise, fix, and secure their business platforms. Business Process Owners and IT are all too often operating in isolation, not discussing where and how data flows across systems.
Often, I'm asked to assist an organization in implementing and securing a specific application for a specific business process (HR for example). During discovery, when I ask the HR owners about what data in finance their joiners, movers, and leavers need access to, I get this answer: “Ask Finance. That’s not an HR question.” But conversely, if I'm implementing a new Finance application and ask Finance owners when during the hiring or transferring process do employees get access to applications, and how do you determine the access they have, the response I often get is: “Ask HR”.
We have to start breaking down these barriers across the business and start having real conversations about data! Security is the golden integrator between business process owners - the team that intimately knows how the applications work and where the data is on those applications. Why? Security administrators have already identified where the critical and sensitive data is in the system to be able to grant access. What happens if the organization needs to integrate those systems? Or what if an auditor asks a finance person who has access to critical data for a cost center? Unfortunately, IT security is often seen as a blocker to business processes, or “The Office of No”. But in fact, IT security is a key enabler of business processes. For the business to operate, data must be available to them, the integrity of the data must be protected, and the confidentiality of that data is key.
Businesses cannot thrive and will not survive if security is not given a seat at the decision-making table. Data regulations are coming, and quickly, and guess who can ensure your business is compliant? Security.
I’ve been seeing this issue creep up for the past 20 years and am ecstatic that these conversations are starting to become imperative to organizations. IT professionals have been training for this for years! Hopefully, we can move the needle enough so that when I ask my daughter about what I do at work, she answers by telling me, “You connect business and IT leaders to help make them "Stronger Together.”