A common misconception I see is that security (and privacy) are the realms of a technologist or designated experts, not necessarily integrated into operational design/delivery. This strategy can be shortsighted in today’s cloud leveraged, agile-process focused, and information-based sharing economy. Given all the security breaches, dynamics of risk/compliance and complexity of service relationships (clients, vendors, service providers, personnel, outsourcing, etc…), this presents immense organizational challenges.
Here are a few concepts in my toolkit…
It takes a village.
Foster relationship with primary stakeholders within your organization (privacy, legal, compliance, technology). They each have unique and valuable perspective on things we deliver. Leverage them. I don’t mean just get everyone in a room but actually engage them to understand challenges or how they can assist you in more cohesive outcomes. Also, have an attorney with expertise in cloud/IP contracts so you can properly evaluate your contract risks (and the vendor). Contracts provide “tells” about the data handling and risk levels of a vendor.
Educate yourself and colleagues.
There are common tenants and risk points in modern security frameworks. You do not need to be an expert to understand the impacts of when security breaks down… just watch your newsfeed. However, you do have an obligation to understand how security (or lack of), affects you and the services you deliver. Have coffee with a technologist or specific expert to gain insights/share challenges. One key to security is awareness. The more you know, the better prepared you are. Make security and privacy talks part of your discussion points because the challenges are not going away (i.e. – GDRP). Also, note… security and efficiency are two different targets; sometimes things take longer because they should.
Raise your expectations (or your clients will).
Understand expectations around security and privacy early in any engagement process. Some participants will be behind (still a risk to you), some catching up (educate) and some you can learn from (opportunity). I can tell you “baking in” security as part of the overall process is much easier than “bolting” it on after (and much more effective).
People, people, people – In the end, like technology delivery, operational targets are about managing the impact around people and process. People can be your weakest link or strongest asset. It is one thing to design a process; it is another thing to get consistent adoption with how people use it. Be prepared to listen, learn, educate and adapt as you engage people. In the end, your message should also include security is everybody’s job.
Become a data steward.
Like it or not we are in a data driven world. This provides immense opportunities (i.e. – AI) and introduces new risks. Most of the risk is due to data scale and accessibility. Learn about your data and the impact, from both your perspective and clients, so you can understand risk profile. In the end, the goal is to evaluate risks and impacts early on as part of the process. Focusing on both efficiency and security to create better product/service outcomes. This reduces risks and also increases collaboration across stakeholders. \