Why and for whom we are building an institute of IS business partners at Ozon
- The essence of the problem
- Three options for solving the problem
- More about the business partner
- Where to find business partners?
- What problems arise with business partners
- Questions and answers
Information security in a company is needed to save data, restrict access to information and prevent incidents. The larger the organization, the greater the risks. But in practice, the requirements from information security seem unclear to businesses. Due to disagreements, the release of the project is postponed. Problems can be avoided by involving business partners.
Gleb Povarnitsyn, Head of the Information Security Department for Business Partners, Ozon, shares his experience.
The essence of the problem
Often, when an information security department comes to business, questions arise: "Why?", "What issues are being resolved?", "How does this affect the work of the department?" and others. Due to a lack of understanding of the goals, the work of information security is perceived as meaningless.
Another problem is the abundance of specialists. At the same time, a situation may arise where each employee of the service makes their own demands. Often they contradict each other. Sometimes employees of other departments need to find out something from information security specialists. But it is unclear who is responsible for what in the service, and who to go to with questions.
It may seem like there is a simple solution: reduce the department to two people - and that's it. One is the manager, the other is a subordinate. But these two people will not be able to perform the entire pool of duties. They physically do not have enough time.
Another non-obvious problem is scale. Medium and large businesses consist of many small businesses. Each process has its own specific risks. This must be taken into account, otherwise the information security system will be useless, and a system will be created in which the wrong risks are eliminated or efforts are spent on solving secondary tasks.
Three options for solving the problem
The first option is to do nothing. In general, companies live without changes and are quite viable. They make a profit, develop, and scale up.
The second option is to create security champions. These are programmers who bring the culture of information security to the masses. They are able to solve specific problems here and now. You can't expect a strategy from them. Since programmers are not security specialists in the full sense of the word, you can't expect particularly high quality work. And this is normal, since information security is a separate sphere.
Let's look at a simple case. About 9 months ago, Ozon decided to launch a project to attract workers to warehouses and sorting centers. The Ozon Jobs app was created for this purpose. It is cross-domain, multifunctional, and universal. The development took 9 months, and the release has just taken place.
Now let's see what would happen with the classic system of working with information security. We would post some codes, projects, and security specialists would go and study them. At the same time, they would stop working and take the application for study. Then they would roll out comments, and programmers would start to fix them. As a result, the release would be... in about three years.
A champion security guard will do the same. The only difference is that there are fewer requirements. A programmer still has a development culture. He understands the field better.
The third option is to involve or appoint a person who will work with information security. He will immediately present the requirements, study the project and monitor changes. Another task is to warn about the terms and dates of inspections by the information security.
Such a person is called a business partner. His task is to act as a link between information security and business. He controls processes and helps departments coordinate their actions.
More about the business partner
The first role is mini-CISO. It assesses the current state of information security, forms an idea of the state of information security in the business unit and creates a roadmap to achieve it. To put it simply, the task of mini-CISO is to determine point A and explain how to get from there to point B.
The word "mini" indicates that the BP does not have its own team. It goes to other teams for help. For example, to the business unit or IT.
The second role is the Security Architect. He is responsible for implementing the IN into a specific project. It is easier to call the Security Architect at the initial stage. He will immediately explain how to create a secure application or program. The specialist should know all security domains at a good level. Thanks to this, it is easier for him to choose a solution for a specific project, thereby improving the product's security.
The third role is the mediator. This is a person who plays the role of an intermediary or conciliator, resolves conflicts between information security and business, IT and information security, IT and business. The mediator explains the decisions made, and, if necessary, revises the threat level.