As 2013 wound to a close, the business world was hit with several high-profile personal data thefts including Adobe.com (38 million+ logins and passwords) and the retail point-of-sale attacks on Target, Neiman-Marcus and the TJ Maxx companies (110 million+ customer records and credit/debit cards).
As CIO of Avnet, my role sits at the crossroads of business enablement and IT security, and it’s clear that in 2014 striking the right balance between the two will only increase in importance.
The Business & IT Security Balancing Act
Something as seemingly simple as determining what low, medium and high levels of risk means can in reality be incredibly complicated, because ‘acceptable risk’ means different things to different people depending on their experience and personality.
To me, cloud is a perfect example of that alignment between the needs of the business and the need for security. I’ve talked about Avnet’s approach to embracing the cloud before, and the advantages cloud offers our business units in certain situations.
However, I also stand behind my comments in the piece about the importance of not simply outsourcing risk or reputation damage to a cloud vendor. That’s where the need for IT Security comes in.
To ensure that IT and cloud service providers live up to their claims, we put our prospective cloud vendors through a thorough vetting process which I outlined in my blog post “Five Keys to Choosing the Right Cloud Vendor“.
Cloud isn’t the only crossroads between business enablement and IT security, however. Workforce mobility is another, as more Avnet employees perform some or all of their work duties away from an Avnet office.
As data migrates from the network’s core out to the edge across a variety of mobile devices and secure and unsecure networks, it exposes Avnet employees and data to a host of new vulnerabilities in the process.
For that reason, it’s more important than ever to ingrain an IT security mindset throughout the organization, beginning with your front-line employees.
I discussed this a bit with George in a December 2013 ComputerWorld article, where I mentioned how Avnet has begun sending realistic – yet discernibly fake – phishing emails to our global employees on a regular basis.
Our security team keeps track of how many people click on the socially-engineered phishing email as if it were legitimate, as well as who discloses personal information versus who simply deleted the email.
By tracking the click-through rates — and counseling those who fall for them — we have significantly raised awareness of the human element in attacks, and made sure our organization is talking about security in an open and real way, from top to bottom.
As the needs of Avnet’s businesses evolve to serve their customers and suppliers, the methods malicious hackers use to get companies like ours to part with their sensitive information are evolving rapidly as well.
Striking the right balance between the two highly-dynamic environments of security and business enablement is essential, and growing more important as each new data breach hits the news.