Strategy Over Action Items for IT Security

Information security expert Ganjar Imansantosa says a realistic plan is crucial in the defense against cyberattacks

Experts only

I came to information technology from the consulting world, where you were always expected to solve problems. You’re also expected to be goal-orientated and have a unique set of problem-solving skills. These aren’t traits everyone has, but you’re forced to develop these skills—and it’s a good thing. They will become a part of everything you do. These skills have served me well in information technology, where my unique background makes me an asset.

Skill diversity is crucial.

This field is growing at a rapid pace and the only way to differentiate yourself and grow in the profession is to have a unique set of skills that you bring to the table. You can be very good at technology, but you also have to understand the business and its goals. I like to think my business background augments my technological expertise.

Never put customers—and their  loyalty—at risk.

When I first began discussing an end-to-end encryption project, it seemed like a radical approach. It’s becoming more accepted in the retail industry because the need for something like this is now so great.

Previously, credit card data was stored, which left customers wide open to fraud. End-to-end encryption means that the data becomes encrypted the moment a customer swipes their card at a payment terminal. The retailer and store employees will never see that data. Even if they wanted to do something malicious, they couldn’t; the data is never stored locally. Even if they did figure out how to access the data, they won’t have any way to decrypt it.

“The biggest struggle is getting companies to recognize that their security framework is likely inadequate and steps need to be taken to rectify that.”

Trust is a must.

Overhauling your system for an end-to-end encryption project or just for security purposes requires a lot: reprogramming your registry, retraining your staff, and replacing countless registers. Without the support of your peers and management, you can’t be successful—despite ensuring that customer information remains safe, it will be seen as a disruptive project that nobody understands. You have to be viewed as a trusted advisor.

Breaches are big business.

We’re seeing a lot of headlines about hackers because of the amount and type of data being taken. Credit card information can be sold on the black market for two or three dollars, and health records can be sold for ten times that. It’s serious money. Robbers no longer need a gun and a getaway car; they just need a room and a computer.

Our methods for protecting information aren’t enough to counter today’s cyberattacks. The biggest struggle is getting companies to recognize that their security framework is likely inadequate and steps need to be taken to rectify that.

Combat information overload.

There is information overload happening. Companies are being given an overwhelming list of action items. What they really need is an information security strategy. Even before they think of the money and the cost of investing, they have to really understand the risks and have their priorities in order. I would recommend allowing your information security team to determine the most important risks. After they have this understanding, the decision must be made about how best to mitigate some risks and transfer others because of cost.

If you’re overly ambitious, what you’re really doing is creating unrealistic targets for your team. If you don’t strategize in a way that gives your team a few quick wins without having to first invest in multi-million dollar, multi-year projects, they will become demoralized. This is a very important topic­—having the right information security framework in place is crucial, but it doesn’t have to be overwhelming.