Organizations must realize cybersecurity is not just an IT problem
Businesses starting to understand a holistic approach to growing digital workload is best
By Byron Acohido, ThirdCertainty
As technology has evolved, it’s gotten bigger and more complex, making the job of information technology departments more difficult. Dealing with Windows, Macs, the cloud and the Internet of Things (IOT) means they have to manage more things in more places.
I had the chance to discuss this with Phil Lieberman, founder of Lieberman Software, at Black Hat 2017 in Las Vegas. Lieberman spoke passionately about his company’s efforts to develop solutions to handle a growing digital security workload. Some takeaways from our talk:
Mind-sets must change. For years, security workers have been resolving problems by hand, “just like the Dewey Decimal System,” Lieberman says, “and what has happened is the amount of systems and the amount of identities and the controls have become impossible for them to manage.”
Related article: The case for robust identity access management systems
People build technology, then figure out how to secure it afterward, he says. “We are dealing with billions of devices,” as well as the many machines organizations use as they conduct more of their business online.
“We decided to create a technology that is like a Google search engine that would find all of these machines and find all of these identities and correlate all of it and change it and secure it,” he says.
Who’s in charge? Maybe it’s not the IT department. “Cybersecurity is not the domain of IT people,” Lieberman says, “and I know this sounds very strange,” because most people see cybersecurity as a technical issue.
Lieberman Software asks companies to make the role of the head of cybersecurity separate from that of the information technology department.
“When IT says, ‘We need to change this or change that to make things secure,’ they also say, ‘Don’t mess with my infrastructure,’ Lieberman says. “Unfortunately, what ends up happening is IT does not have the power to fix the problem.”
If you can’t automate security, you’re going to fall behind and leave gaps that will be exploited, he says.
Taking notice in the C-suite. Lieberman is pleased to see the corporate boards of major and midsize companies investing in cybersecurity.
Company leaders are telling their business units that they’ll get a temporary pass on profit and loss while they audit their technical assets and run them in a way “that is secure and will minimize losses to the company and minimize risk.”
“CEOs and boards of directors are now getting smart,” he says. “Technology without sponsorship of senior leadership is worthless.”
For a deeper drill down, please listen to the accompanying podcast.
More stories about IT’s role in cybersecurity:
When it comes to cybersecurity, gap between IT, boardroom must be bridged
Startup takes cybersecurity out of IT department, into C-suite
Security awareness training gets a much-needed reboot