Lockr and Cellar Door Media founder, Chris Teitzel, had the opportunity to be a part of a panel discussion on security during a session at DrupalCon 2016, held in New Orleans. The discussion served three primary purposes, it introduced some of the key themes in contemporary cybersecurity, it offered language for bringing these themes to customers in an effective manner, and it demonstrated the benefits of being a business which has a value based on security. We’d encourage you to watch the full session, found here, also feel free to download the slides on that same page. Below are some of the key takeaways from the event.
PART 1: DEMYSTIFYING SECURITY
Chris Teitzel (founder of Cellar Door Media and Lockr) was joined by Drew Gorton (Pantheon) and Luke Probasco (Townsend Security) discussing the vast and, at times, confusing world of cybersecurity and how it applies to business owners and web developers. They began with a discussion of identity theft and some of the common myths surrounding security. “Security on your site is more than just a credit card,” they explained. What hackers are often after is the wide array of personally identifiable information (PII) which can be used to piece someone’s identity together. It’s easy to think that you as an individual, or the small businesses you represent are too small to be a target, but the reality is you’re often more valuable than you realize. Your computer, your proximity to other systems, and your identity can all be co-opted and utilized in ways that are detrimental to you, your business, your clients and bring some degree of value to a hacker. It’s important, then, to be aware of what PII you store online and how secure that information and the systems it is held within are.
Even when faced with this reality, the steps that lead to strong security are often blocked by the overwhelming belief that encryption is too complicated. The panel demonstrated, though, that encryption can be made simple if you take advantage of the tools at your disposal. Encryption is difficult to break, and difficult to create but utilizing it doesn’t have to be; and it doesn’t have to have any noticeable affect on your performance. Ultimately, whether or not your company deals explicitly with security issues, if you are collecting any manner of personal information from your customers, then they are trusting you to take the appropriate steps to secure that information.
PART 2: THE SECURITY CONVERSATION: EXPLAINING IT TO CLIENTS.
Once you, as a web professional, realize the importance of strong security; it’s essential that you’re able to communicate this same importance to your clients. Some of what the panel is able to do in this portion of the discussion is provide you with the necessary rhetoric and “jargon” to join the security discussion. To understand the pillars of security they employ the CIA acronym: confidentiality, integrity, and availability; explaining the role and value of each in a well secured web presence. It is not, ultimately, an issue of security or no security. Security runs on spectrum and it is a question of more or less. Your role, as a business being trusted to keep your clients information secure, is to always ask how you might increase your current level of security. The panel encourages you to think of security less like a wall, and more in terms of layers, employing a defense in depth approach. It’s a question of timing and how long a hacker might be stalled, and subsequently discovered or inhibited, as they attempt to breach your security that allows for a more comprehensive defense. The more layers you can add to your security posture, the more likely a positive outcome.
Also, regarding PII, if you don’t have to collect it, then don’t. Every additional piece of personal information means increased liability for you. This might mean saying no to clients from time to time; but when this is done for the sake of security, they will respect you for it. It’s important to ask your clients key questions about what data is collected and what sort of business is being conducted, listening for key trigger words that represent weak areas of security; the panel provides a list of example trigger words to listen for.
PART 3: BUSINESS WINS
Being a company who makes a priority of incorporating security into all you do, will allow you to stand out from the crowd. Meeting and even exceeding security benchmarks set by enterprise companies will increase your chances of winning RFPs. Security is growing as a niche field within the world of online business; making a name for yourself now as a champion of security will help you stand out, it’s only a matter of time before it’s a requirement to do business. Data privacy is becoming not only a “good thing to do”, but an inherent right on your online customers.
Security, for you, will have to be a team exercise in which every member of your team takes on the responsibility of ensuring the security of their domain. The panel provides examples and methods for bringing everybody under your roof in on the security priority, and as such making you a stronger and more profitable company.