There’s no way around it: security is one of the most talked-about topics in businesses today. As the Co-Founder and Managing Partner of BridgeView IT, I’ve had the opportunity to engage in countless enlightening conversations with industry executives, technologists, and our own staff, and it’s time to share one of those conversations with you.
Phong To is a multi-talented Digital Transformation Advisor with over two decades of experience in CIO, SVP of IT, and other critical technology roles. He’s amassed unrivaled expertise going into organizations and leading vital security assessments that uncover and reduce business risk. A recent conversation I had with Phong revealed a number of important nuances to assessing security that business leaders everywhere can benefit from.
Phong: When I’m in charge of technology for a company, or when I’m running an IT organization, I view my duty in three parts: First, I seek to enable the efficient and effective use of technology, especially as it pertains to the user experience. Secondly, aligning an organization’s technology platform with business goals is critical. Companies have aspirations, and technology should always support those objectives.
Both of those things are contingent on my third duty: I’m always looking to identify and eliminate risk. Some organizations today will unwittingly add risk to the firm because their security is untested and contains vulnerabilities. A security assessment identifies weak points that, if left unchecked, could derail technology’s efficiency as well as organizational goals.
Phong: In addition to the fact that security impacts the entire organization, including the bottom line, you only have to look to news headlines to see why it’s so important. Company names like Equifax and Target are now associated with data breaches, while ransomware attacks like WannaCry devastate organizations.
It all comes down to this: when customers or regulators knock on your door and ask about your security measures and if you meet the standards for modern environments, are you prepared to answer? Meeting those standards improves the organization and helps frame your overall strategy by identifying risk items and making plans to remediate them.
Phong: Whereas businesses used to value money the most, information is what’s most valuable now. It’s why we see so many data breaches and cyberattacks; bad actors don’t need to rob a bank to be rich. They only need to hit a service organization with no security controls to steal credentials for 100,000 people and sell them on the black market. Modern businesses are no longer protecting physical items in vaults, but are protecting data. Like the valuable secret recipes for KFC or Coca-Cola, the proprietary information and private data today are now stored on networks, and they need protection.
Phong: While the financial industry is more regulated, with certain companies being required by law to perform regular security assessments, this is a topic that affects every sector. Technology processes directly impact the bottom line of companies, and one mistake can have far-reaching ripple effects. Not only does a company need its own assessment by an outside party, but their service providers and vendors need to be assessed. After all, if you think you’re safe but your vendors aren’t protecting your information or your customers’ data, that’s an issue. And what about the vendors your vendors are using? It takes a deep dive to truly feel confident in one’s security.
Phong: While it varies depending on the size of the organization, how well they’ve adhered to security standards, and the type of assessment, a rule of thumb is to conduct an ongoing security assessment annually. Additionally, if businesses today look for SOC Certification, an SSAE SOC 2 Type 1 assessment and report might take between six and eighteen months. In one unique situation I was able to conduct one in four months, while I’ve also seen some deeper assessments take two years to complete.
Phong: There are many steps, components, and subtopics that go into security assessments. Outside of the preliminary work, audits typically start with investigating access control. Who is using different pieces of technology and how is a company managing that access? From there we look at monitoring, system integrity, penetration testing, and much more, applying policies and procedures in each of those categories while using the five trust principles in SSAE as a guide.
Of course, some companies have no security policy in place, and for them we start from square one by developing procedures. In any event, it’s important to assess vendors, ask them questions, and review action plans with them to make sure security is a priority for everyone before certifying the audit.
Phong: SSAE SOC 2 framework provides five trust principles that guide risk assessments. These are distinct areas that help to organize the process and focus on important nuances of security:
- Security: This is all about who has access to systems and data. Have these people been reviewed? What happens if their access is compromised?
- Availability: If systems are in place, is there any redundancy in the availability of those systems? If you rely on a vendor or service provider and they go down, does that mean you lose availability too?
- Processing Integrity: Is your system a complete and accurate one that provides the output your business requires in a timely fashion? Is that output valid? This holds true for the outcome of any process as well. Making sure a business model doesn’t deviate from one day to the next is crucial.
- Confidentiality: Every business houses confidential information. Whether it’s customer credit card numbers or internal financials, what are you doing to protect this information?
- Privacy: How do you collect data, retain it, and dispose of it? Are there agreements in place between your company and vendors that maintain protocols on privacy?
Phong: Maintaining proper security will not get any easier, and the world will continue to produce data at exponential rates. The moment self-driving cars go into use, they will create more data in one day than there is in the library of congress. Social media apps are processing and capturing information on user locations and sensitive data. Technology makes life easier and can be exciting, but it creates more data and that introduces risk into businesses.
The only way to reduce risk and maintain proper security is to have an objective party from outside the business assess and audit your practices. Company leaders are often too close to the action to see the big picture of their organization and where risk is being introduced unknowingly. It isn’t easy, but it’s no longer just an option for today’s businesses; it’s a requirement.
Want experts like Phong to assess your organization’s security practices? Reach out to BridgeView IT today.