Organizations must realize cybersecurity is not just an IT problem

Businesses starting to understand a holistic approach to growing digital workload is best

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As tech­nol­o­gy has evolved, it’s got­ten big­ger and more com­plex, mak­ing the job of infor­ma­tion tech­nol­o­gy depart­ments more dif­fi­cult. Deal­ing with Win­dows, Macs, the cloud and the Inter­net of Things (IOT) means they have to man­age more things in more places.

I had the chance to dis­cuss this with Phil Lieber­man, founder of Lieber­man Soft­ware, at Black Hat 2017 in Las Vegas. Lieber­man spoke pas­sion­ate­ly about his company’s efforts to devel­op solu­tions to han­dle a grow­ing dig­i­tal secu­ri­ty work­load. Some take­aways from our talk:

Phil Lieber­man, Lieber­man Soft­ware founder

Mind-sets must change. For years, secu­ri­ty work­ers have been resolv­ing prob­lems by hand, “just like the Dewey Dec­i­mal Sys­tem,” Lieber­man says, “and what has hap­pened is the amount of sys­tems and the amount of iden­ti­ties and the con­trols have become impos­si­ble for them to manage.”

 Relat­ed arti­cle: The case for robust iden­ti­ty access man­age­ment systems

Peo­ple build tech­nol­o­gy, then fig­ure out how to secure it after­ward, he says. “We are deal­ing with bil­lions of devices,” as well as the many machines orga­ni­za­tions use as they con­duct more of their busi­ness online.

We decid­ed to cre­ate a tech­nol­o­gy that is like a Google search engine that would find all of these machines and find all of these iden­ti­ties and cor­re­late all of it and change it and secure it,” he says.

Who’s in charge? Maybe it’s not the IT depart­ment. “Cyber­se­cu­ri­ty is not the domain of IT peo­ple,” Lieber­man says, “and I know this sounds very strange,” because most peo­ple see cyber­se­cu­ri­ty as a tech­ni­cal issue.

Lieber­man Soft­ware asks com­pa­nies to make the role of the head of cyber­se­cu­ri­ty sep­a­rate from that of the infor­ma­tion tech­nol­o­gy department.

When IT says, ‘We need to change this or change that to make things secure,’ they also say, ‘Don’t mess with my infra­struc­ture,’ Lieber­man says. “Unfor­tu­nate­ly, what ends up hap­pen­ing is IT does not have the pow­er to fix the problem.”

If you can’t auto­mate secu­ri­ty, you’re going to fall behind and leave gaps that will be exploit­ed, he says.

Tak­ing notice in the C-suite. Lieber­man is pleased to see the cor­po­rate boards of major and mid­size com­pa­nies invest­ing in cybersecurity.

Com­pa­ny lead­ers are telling their busi­ness units that they’ll get a tem­po­rary pass on prof­it and loss while they audit their tech­ni­cal assets and run them in a way “that is secure and will min­i­mize loss­es to the com­pa­ny and min­i­mize risk.”

CEOs and boards of direc­tors are now get­ting smart,” he says. “Tech­nol­o­gy with­out spon­sor­ship of senior lead­er­ship is worthless.”

For a deep­er drill down, please lis­ten to the accom­pa­ny­ing podcast.

More sto­ries about IT’s role in cybersecurity:
When it comes to cyber­se­cu­ri­ty, gap between IT, board­room must be bridged
Start­up takes cyber­se­cu­ri­ty out of IT depart­ment, into C-suite
Secu­ri­ty aware­ness train­ing gets a much-need­ed reboot