The Department of No Becomes the Department of Yes
Information security, which used to be known as “The Department of No”, is reinventing itself to be a genuine enabler of business innovation. If you think about it, this had to happen because the world is always changing. New business ideas, new ways of engaging with customers, even entirely new sectors come and go every year. Anything that holds a business back from innovating and transforming is an unwanted roadblock.
At the same time, information security is incredibly important. The reputational damage to a brand from a data breach, or the financial loss from systems getting hacked, are too great to not take security with the utmost seriousness.
These days the job of information security, usually embodied in larger organisations by the CISO (Chief Information Security Officer), is to align the business’ security needs with broader business objectives.
Rather than “The Department of No”, it has become “The Department of Let’s Find a Way”.
Where do you start?
From corner shops to mighty global enterprises, all businesses today store and process information, about their customers, products, transactions, and finances.
Doing business means that systems and data need to interact with the outside world. The job of information security is to assess the risks of doing that, decide what level of risk is acceptable, and put in place the policies, and the checks and balances, to manage that risk.
Impact assessment is a good place to start. What would the repercussions be for your organisation, your team and your customers, if a particular piece of information was either unsafely exposed or irretrievably lost? What would the impact be if any system got accessed by a bad actor – hacked, essentially – or shut down for a period of time?
From there you define what policies and controls need to be in place. These controls apply to all business processes and IT systems that involve the handling or processing of data including communications channels such as the voice, email, messaging, SMS and others used in the contact centre.
Swipe for more
What does an information security plan look like?
Implementing controls to mitigate risks
There are several components to an information security plan. The most obvious is to agree to the limits that are put on any process, or on any system or person running those processes. Controls for enforcing those limitations should be built into appropriate systems and automated, so that you are not relying on people to do the right thing (or, perhaps more accurately, to not do the wrong thing).
There’s a great example of this on a recent AWS Information Security podcast. The guest tells a story of how he once accidentally shut down a remote server when he only meant to reboot it. His point is that the button to completely shut the server down should never have been right next to the reboot button on his screen. Had the user interface been designed with security in mind he could have not have accidentally chosen the wrong, and in this case quite catastrophic, option.
Balancing between functionality and interface
When building software, your coders, app owners, and operational leaders need to think about what you want users to do, what you will make extremely difficult for them to do, and what you never want them to do. In the cloud environment where many organisations’ software and services reside, it’s possible to configure the security parameters to the ‘nth’ degree for development, test, and production environments. Establishing where those security parameters are, need to be a collaborative effort between the security team and users. This will ensure bottlenecks are not created in the process, preventing the team from accomplishing their goals.
Checks and recovery
Next you need to think about how policy breaches get reported, to whom, and what you do about them. Ideally, once a gap in your processes or controls has been identified you handle it manually the first time and then automate it as quickly as possible to stop it happening again. For serious breaches, when actual damage has occurred or data has been exposed or lost, you need a recovery plan. Whatever your emergency response measure are, don’t just assume they will work; test them regularly with simulations to ensure you continually improve them.
Communication is the final element of any information security plan. All employees are expected to comply with the plan, however some will be impacted a lot more than others. Whether through training, through employee manuals, or through in-application prompts, employees are more likely to comply if they understand your policies and what is expected of them.
How does information security enable the whole business?
In the past, developers or operational people who were trying to innovate in a business, could sometimes see security as a bottleneck. It was something to negotiate their way around when attempting to do something new. They were perhaps concerned about going to the security team in fear that whatever cool new feature they were developing might get canned. Security was “The Department of No”, remember.
Ensuring business functions remain secure and compliant
The way that development and operational teams should work with information security is to raise their concerns right at the start of a project. Security must be built into any new project plan from the start, rather than furiously patched up at the end. For their part, information security professionals are aware that they cannot be a bottleneck. Their job is to facilitate whatever it is the business needs to do, and help implement whatever innovation is required, in the safest possible way that meets the business’ appetite for risk. In many sectors that will also include navigating regulation and compliance issues.
In an outsourcing business like ours, our information security responsibility to our clients and our clients’ customers and partners has to be at the forefront of everything we do. As we act as extensions of our clients, our policies need to be at least as secure as their own given we are working within their established risk parameters.
Visibility for the new ways of work
Having more visibility around the way we work creates a constant loop of reviews and improvements to help the whole organisation, and our partners, work better. As work becomes more collaborative, information no longer lies with just one person, department, or even company.
A safe environment that encourages innovation
Finally, we believe a business can only innovate when a culture of freedom and autonomy is encouraged. People will make mistakes, but they shouldn’t be blamed or scapegoated for them. As with the AWS podcast guest accidentally shutting down a remote server, these types of incidents can be caused by processes or controls that was weren’t up to the job of error detection or prevention.
Ultimately, one of the main ways that information security can truly enable your business is by giving your employees a safe environment they can work in, and innovate in, without living in fear of accidentally bringing the ceiling down. Like children in a playground, allow your employees to explore all the parameters of a safe space and when they need to push the envelope even further – and they will if they’re truly innovating – your information security policy needs to help them do that safely, rather than block them.
TSA are Australia’s market leading specialists in CX Consultancy and Contact Centre Services. We are passionate about revolutionising the way brands connect with Australians. How? By combining our local expertise with the most sophisticated customer experience technology on earth, and delivering with an expert team of customer service consultants who know exactly how to help brands care for their customers.