Don´t Think IT-Security is a Technical Problem

by Florian Schütz

You think security is some stuff the IT department has to handle and it “should just work“? It is somehow important, but investing too much money is not worth either. Some IT geeks are dropping the money anyway into some kind of deep ditch in the server center? Are you thinking secretly that you might do that fancy Facebook campaign better instead? If you think so, then you are not alone.

But, unfortunately, you are not right. You should re-think your position.

The thing is, don´t understand IT-security as a technical problem. You have to see the broader picture. The main question for you is: "What could harm my business? (And what’s the cost of it?)" And the second question should be: What could I do against it? Where could someone attack? And if you think about that question, there are actually a lot places! Communication, networks, IT systems, the applications your company is using, starting with office products, ending with complex applications your company is building, but also your physical office, the data center and even your own personnel (or you yourself, opening the attachment of the latest job application). There are a lot of attack points. And talking about attacks: Attack is not attack. There are traditional IT security incidents, such as small-time criminals, individuals or groups just “having fun”, community hacktivists, or insiders. And there are cyber security attacks, such as serious organized crime, state-sponsored attacks and extremist groups.

To be clear, when you talk about security, it is not necessary that you know the exact difference between a virus, a worm, or a hybrid attack (Unless you are the dedicated security expert in your company). It is not necessary that you know in detail how to configure your firewall, or webserver. But: What you should know is, how your business processes would be affected when systems become unavailable! Which clients would be affected? How would your team react?

Overall, there are some essential things you should be aware of. In day-to-day business, aspects of information security are often neglected, and in some organizations, they are simply forgotten. If the responsibilities are not or not clearly assigned, there is a risk that information security generally becomes "other people's problem". You have to understand what could happen and what the cost for recovery would be. The risks from cyber security incidents are real, with cyber security attacks now regularly causing significant damage to the performance and reputation of many different organizations.


Security Principles for The Management

  1. The management of the company must understand and address cybersecurity as a company-wide risk management issue - not purely as a IT problem
  2. The management should understand the legal implications of cyber risks on their business
  3. The management should have adequate access to cybersecurity expertise, and cyber risk discussions should be regularly and appropriately timed on board meetings
  4. In the discussion of corporate governance on cyber risks, it should be clarified which risks should be avoided, which should be accepted and which should be mitigated or distributed via insurance - and which specific measures should accompany each of these variants
  5. The management should nominate a dedicated Information Security Officer
  6. The management must provide adequate staffing and budget