Bringing prevent defence to the datacentre
How the Indianapolis Colts are stepping up their security game
Finding a job description from my hometown football team that fit my skill set sparked an immediate thought: Heck, yes.
Fast forward 10 months, and I'm now running everything from incident response to data governance, to third-party risk management for the Indianapolis Colts. Here's how I plan to build our overall security architecture and improve our security posture while working hand-in-hand with our IT team and various business units.
Formalise data governance
When I joined the Colts, there was a data governance strategy already in place, but the issue I found was that it wasn't documented.
This could be the case across industries: IT and security teams know what they're doing and how to do it. But since processes and procedures are not centrally captured, they're not repeatable. If somebody were to leave the organisation, they'd take that tribal knowledge with them - it would be impossible to pick up the reins and continue. And that's one of the reasons that formalising and standardising data governance processes at the Colts organisation is one of the biggest improvements I've seen so far.
Manage third-party risk
The importance of third-party risk management isn't lost on security or IT professionals. We've all seen what happened with Log4j, SolarWinds, and MOVEit. That's why assessing the level of risk a new vendor might add to your environment is critical. If vulnerabilities exist, we as security/IT leaders are responsible for mitigating that risk.
Click here to join the MES IT Leadership Network
But it's not something we can entirely do by ourselves, and certainly not without knowing our organisation's risk appetite. First, we need to work with business leaders to identify how much risk they're willing to accept. Would a certain vendor just add too much risk? Or could the business and IT collaborate on ways to mitigate the risk so that we could still take advantage of emerging tech? Security and IT leaders need their help to establish the right balance.
Speak the language of business users
That means no jargon. After all, any technical language usually puts end users to sleep. That's why I've found it helpful to speak in a way that business leaders can easily understand. I focus on the risk to their lines of business.
What will happen if we don't apply new security measures? Customer data is at risk. The financial and reputational costs of a breach loom large, but if we invest just a fraction of the total cost of a potential security event, we can prevent a world of headaches and regret.
I make it clear to business leaders that I'm not the security guy coming up from the basement, telling them that they must do something. I don't want to be a blocker. I want to be a collaborator, and I want to form a partnership to ensure they stay as safe and secure as possible.
This approach has helped me drive new initiatives and foster a culture of security at the Colts organisation. Everybody thinks about security now, which is fantastic from my perspective because that's a step forward in overall protection for our business.
This article first appeared on our sister site, the MES IT Leadership Network