A CSO’s tale: Moving security from the department of ‘no’ to ‘how’
- 05 December, 2016 06:30
The big thing for security is making sure we are enabling the business to do what it wanted to do.
Simon Burson, the security manager for Paymark, says recently, a staff member from outside his department approached him for a technical issue on a recent deployment.
It was, for Burson, an affirmation of how the security function is now seen differently by the rest of the organisation.
“It is nice to be associated with assisting the organisation rather than just be monitoring and in check and balance,” says Burson, who joined Paymark nearly two years ago from Spark New Zealand, where he was also security manager.
Paymark is New Zealand’s leading electronic payments company, accounting for over 75 per cent of the country’s payments. Its network covers more than 100,000 terminals which process around 60 transactions every second.
“We are very focused on security,” he explains. “Here it is all about protecting our transactions.”
“But we also want to enable people to operate in a modern world and so security saw the opportunity to enable that capability, take the lead on that and be seen to be enabling the organisation to do it in a secure way.”
But, as he puts it, “Security is seen traditionally the ‘department of no’. What I try to be at Paymark is the ‘department of how’.
“My firm view is it is not for security to say ‘yes’ or ‘no’.
“It is to say when, and how much.”
He tells CIO New Zealand how they applied this approach during a recent technology rollout.
The business people want to use a person to person (P2P) collaboration tool. In this case, it was about allowing the staff to collaborate faster, even real-time and securely, with other staff members and third parties.
“Our job is not to say whether they could do it or not. It is to figure out how to do it in a secure way,” he says.
“That was the big thing for security - making sure we are enabling the business to do what it wanted to do.
“There are is always a way to do something in a secure way,” he explains.
“And, typically the business wants a particular outcome rather than a particular solution.”
It is not for security to say ‘yes’ or ‘no’. It is to say when, and how much.
They investigated a series of options but chose Dropbox, which a number of staff were already using.
“That made the rollout relatively straightforward.”
“The thing I find is, when you are dealing with people, you have to treat them as people.”
“If they have a preconception that a particular product is not good, it can be difficult to change that perception.”
“If there is something they want to use and there is a way of doing that securely, then that is clearly going to be the best option.”
“From a security perspective, embracing something that was already happening rather than being seen as a gatekeeper during the deployment was important,” he says.
He admits there were a few issues during the deployment. “You are always going to have people that aren't particularly familiar with a technology,” he says.
Dropbox ran the training programme. “We had an open session for people who were struggling with the technology.”
He highlights the security imperative around any business technology rollout.
“We are like every organisation, we email a lot of content.”
“I am not talking about the highly sensitive content but stuff that should not be in the public eye,” he explains.
“You need to get it to the person and the easiest way to contact the person is by email.”
"We replaced that with something via their filesharing system through Dropbox.”
Email will involve an unauthenticated, unacknowledged delivery of Information to a third party. With their new system, they have an audited and tracked transfer of information to a third party.
There was a definite improvement around security and usability instead of two people or more collaborating on a file via email. They would email it backwards and forwards.
Now, they can share it in a Dropbox and if they finish the collaboration, they can use the file for operations, or archive it.
“It allows more rapid iteration,” he says.
Through an integration with the cloud access security broker and cloud cybersecurity platform, CloudLock, all Dropbox Business sharing is secure and adheres to the PCI compliance standards Paymark is required to meet.
Previously, when email was used, P2P transfers were not only difficult to monitor—they were far less secure, he explains. “Once it is out of the gateway, we do not have that ability.”
He says the deployment also enabled BYOD (bring your own device).
Though the company already had legacy products in place, these did not work well across the range of new devices being used. Increased collaboration with third parties required an end-user system that was easy to use but would not compromise sensitive data.
Burson says the business driver was really around collaboration. But it was different for Burson and the security team at Paymark.
“It was a security led project,” he says.
“We have experienced the pressure to enable BYOD devices."
Dropbox was instrumental in that capacity, he says.
“I would say the best business benefit would be security,” he says.
“We do not look at the files people are sending each other but we can scan it for misuse, it might be malware or things like that.”
“That increased monitoring is from my perspective the greatest benefit.”
But if you were to ask someone from outside his department, you might get a different answer, he says.
“It probably would be around speed of collaboration within individuals as well as with third parties.”
“You can collaborate on a piece of design with a third party in real-time,” he states.
You can share with Dropbox, and when you go home, you can access that content on the phone if you want to read it.
“That piece of information is on all those devices, and it does not cost me anything more if I put it on a hundred more devices.”
In a business case, you might look at the financial figures but there are a lot of intangible benefits to a project, he says.
“There is the cost of it, but you save money because you are alleviating capacity on central storage, there is less time spent waiting for a reply made through an email.”
“If somebody updates a document I am working on, a little icon pops up and tells me that has happened.”
Burson explains Paymark has a security guild with members coming from outside his department, like marketing and development, but have an interest in security.
“We make them aware of what the security team is working on,” he says.
They do these through meetings and presentations, and by sharing information through a Dropbox folder.
“They get a notification there is something new to read and they can read it on the phone or on the bus home.”
“Collaboration is identifying the numerous opportunities, rather than figuring out a single way you can use it,” he says, as he sums up the rollout.
“We are the ‘department of how’, absolutely.”
Good perspective on how IT Security should operate - Good job Simon https://t.co/DXpVMl26vG— Dhaya Sivakumar (@dhayas) December 4, 2016
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz