What Football (soccer) can teach us about data security
When discussing the notion of continuity in business and technological environments, marketers have been propagating many buzzwords that have caught on into general parlance. Of these, the idea of agility has really stuck and resonated with many different types of professionals. However, while widely discussed, most people rarely understand what’s really being conveyed by the concept of agility.
Agility is a generic term that simply means being able to move, pivot, or change direction as required without falling over or being thrown off course. This brings to mind the return of the Premier League and the start of the football season, in which football players and world-class athletes are required to pivot, change tact, and accelerate forward (and back) with skill while not losing control of the ball or tripping over their own feet. This is the true essence of agility, and this is what sets professional athletes apart from the amateurs who might play decently enough but never reach the upper echelon of truly agile players.
This concept applies to companies as well; moving towards a predetermined goal quickly and competently should be the aim of all businesses. However, on this journey (as with football) you have to deal with opposition and uncertainty, meaning that institutions must be able to shift towards the desired direction without causing detrimental disruption, loss of balance, or any breaking of the rules.
Software development teams as well as technologically minded professionals are all trying to operate faster and faster amid pressure from the top down. Nevertheless, it is imperative to note that agility and speed are two different things. Yes, the speed at which you can operate does impact your business, but in many cases, going too fast can be the leading cause for a missed opportunity. Agility is about finding the balance between composure and speed in a way that complements your end goal. The faster these things go, the closer you get to hyper-agility or, in software development terms, near-continuous delivery of functioning code. Athletes have mastered this near-continuous change to get something done effectively. Speed, a winning mentality, and the ability to manage and react to sudden change all are integral parts of hyper-agility.
What is stopping you from becoming hyper-agile?
Many things hinder businesses from achieving hyper-agility. These challenges manifest as cultural, staffing, training, or tooling issues. Indeed, the very mindset of business leaders can impact the culture of agility within your enterprise. Yet, like with a budding professional athlete, not everyone that strives for hyper-agility will even achieve it. Too often, a win-at-all-costs mindset is intrinsically woven into business, though anything from weak leadership to unmotivated employees can cause you to fail at the first hurdle. But what is this hurdle?
As data becomes more important to businesses, so too does protect it. Just as sports professionals need to be aware of what they put into their bodies to cultivate specific muscles, businesses must understand what data is being circulated, and for what purpose. Just as putting the wrong fuel inside your body can cause lethargy and inhibit performance, so too does sloppy processing of (potentially sensitive) data come with its own perils. While many athletes are fortunate enough to have expert nutritionists, not every organization has the luxury of procuring a data security expert who has equal parts technical savvy and compliance know-how. With data manifesting in so many different iterations it can often be a hurdle to hyper-agility. However, while a hurdle can present a roadblock for unprepared businesses, for the hyper-agile, it simply becomes part of the race.
Data security
For businesses, the focus has gone above and beyond simply maintaining business continuity by using data and methods like DevOps to speed up the delivery of software products. With this goal, data security often becomes a secondary thought. Remember, speed requires good technique. Think of the training regime of a developing footballer. What makes a truly successful athlete is mastering the fundamentals. It is no use being the best dribbler in the world if you cannot hit an open goal from three yards out. The same principles are true when considering data security practices. You must combine data security best practices integrally within the development cycle. Doing this upstream will not only provide a better insight into data security but can drive towards the much-coveted DevSecOps development cycle of continuous delivery along with secure data.
You will find two types of organizations: those that get it, and those that do not. The former are those that implement data security protocols in advance, and the latter are those that tick boxes as an afterthought in order to get a product out the door. Data privacy mandates hold boardroom executives accountable with very real punitive measures. Indeed, IKEA France was recently issued a hefty fine under data security non-compliance, and their ex-CEO was given a suspended prison sentence for mishandling and inappropriately using sensitive data.
To avoid a similar outcome, business leaders should provide proper budgeting and staffing to audit data processes and tools, integrating data securely into the larger workflow of development and operations teams. Unfortunately, many organizations learn this lesson too late, usually, after they or a partner have fallen on the wrong side of a data security mandate (and usually due to a data security incident or breach). For many, data security is an exercise that exists in theory only, until it becomes a tangible menace. Like a trick play, it’s talked about but not in that practical sense of actually carrying it out. This must change.
The best offense is always a good defense
The saying goes: “the best defense is a good offense.” However, this could not be further from the truth when considering data security. Only by securing your own weaknesses will you be able to strive for and hopefully achieve hyper-agility, leaving your competition in your wake. If you are not moving towards hyper-agility and have no plans to, you never will achieve your goal. It can only take a few days off for a player to break a routine or lose critical skills, and it can only take one ambitious turn to twist an ankle and be side-lined. For many organizations, the major pitfall is how to deal with all the sensitive data. This goes back to the fundamental notion: does your organization have a culture of data privacy and data security? Your IT department may send out those emails like clockwork, instructing employees to change their passwords, but this is not truly a culture of data privacy. Top-down, left to right, data and the power of data must be valued and must be secured appropriately, without exception. Everybody in the business is committed to it—as every player on a football team must be committed to winning—in order for the culture to thrive.
Smart organizations realize the importance of data security and privacy, and of incorporating this concept into the workflow directly. While this is a defensive maneuver, it has a tangible gain. Quantifying the failure to comply with data security frameworks is easy; quite simply, it can lead to huge financial and reputational penalties. For those organizations that just do not care about hyper-agility and data security, we hope the carrot dangling in front of them will be a better incentive than a stick from the ICO. Those hurt much worse than a kick to the shin!
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.