Prevention, Not Cure, Is The Optimal Approach To IT Security

Prevention, Not Cure, Is The Optimal Approach To IT SecurityLast year was not great for IT security. Pick a month at random and you’ll find reports of serious data leaks and security breaches affecting millions of people. The news is biased towards the catastrophic, but with global cybercrime and espionage on the rise, businesses that rely on their online services need to do better.

Part of doing better is becoming more proactive about security and privacy. It is no longer enough to do the minimum to secure network boundaries and deal with security issues as they arise. Security has to become part of the DNA of modern businesses, a core business goal alongside and not subordinate to other goals.

Hosting sensitive data in a secure colocation datacenter instead of a less secure public cloud platform is a step in the right direction, but building secure applications and services requires a commitment to inspiring a culture that prioritizes security and privacy.

Everyone has a part to play

The first step in becoming proactive about security is to realize that your security team and IT staff need help. Those who work in this space have experienced the unnecessarily adversarial relationship that arises between IT and non-technical workers, largely because the workers don’t understand why IT insists on making life difficult for them.

Staff should be trained to understand the threats businesses face and the rationale for security policies. Hiring policies should make security awareness a prerequisite for consideration. Security is easier if everyone is pulling in the right direction.

Bring security into the C-Suite

If your company’s hiring policies are functioning properly, your developers and system administrators know what it takes to build secure systems. But are they given the right incentives by the company’s leadership? Incentives matter. When a company’s executives consistently prioritize productivity at the expense of security and privacy, we get situations like the Equifax leak.

Executives should make security a priority. Managers and project leaders should be incentivized to work towards key security metrics.

Make security a part of the product

In the past, consumers haven’t been particularly concerned about security and privacy. They weren’t factors that influenced consumer behavior. After Equifax, WannaCry, and a dozen other high-profile security lapses, consumers are learning to take security very seriously indeed; it’s becoming a key differentiating factor.

Businesses that make the effort to build secure applications and services will be more attractive to consumers who really don’t want their emails, passwords, and sensitive data leaked to identity thieves and other criminals.

For many businesses, the shift to a security-first approach requires a cultural evolution. But established businesses don’t have a choice: if they are unable to adapt to the demands of a market that includes ubiquitous organized crime and state-sponsored cyber attacks, they will be out-competed by startups that understand the mood of the public.