Why Security Should be a Business Leader Concern

Security can no longer be an issue only delegated to your IT or SecOps teams. 

The global average cost of a data breach increased by 2.6% from $4.24 million in 2021 to $4.35 million in 2022, representing a constant and significant risk to business continuity, reputation, and profits. 

Rising cyberattacks and the current geopolitical landscape require security to be at top of mind for every business leader. Not only for their own products and operations, but also for the technologies that they implement. 

When considering the technologies in your own tech stack and future investments, security can no longer be just a checkbox at the bottom of your procurement to-dos. Bring it to the discussion early so that you’re not wasting your time with a solution or tool that isn’t able to properly secure or protect your data. 

Security Terminology Business Leaders Need to Know 

Security, compliance, data — all terms that get thrown around. But what does each mean and why is it important for your business? 

Security refers to a set of practices and measures taken to ensure the confidentiality, integrity, and availability of systems and information. 

Compliance involves adhering to a set of rules and regulations established by governments such as GDPR or HIPAA, industry bodies, or even internal company policies. 

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks.

Data Protection focuses on protecting users’ personal data. Data Protection Compliance is a subcategory of Compliance. The main goal of data protection is  to prevent any use of personal data (by internal and external parties) in a way that could harm individuals.

Zero Trust is a security model based on the principle of not trusting any entity by default, regardless of its location or context, and requiring verification before granting access.

Data Protection and Security Measures to Look For When Selecting a Vendor 

According to Gartner Digital Markets’ research, security and cyberattacks are a top trigger of software investments, especially to protect against financial, legal, and reputational damage.  

When selecting a vendor here are a few key things to look for in regards to security. As a business leader, you may not need to understand all the specifics but having answers to these points early in the discussion will help ensure you actually go with a vendor that can present real trust and credibility. 

1. How does this vendor secure my users’ data? What security measures does this vendor put in place?
    
2. What regulations does this vendor comply with? At the very least, the vendor you consider needs to be compliant with the data protection laws where your business operates, for example GDPR. Are there other regulations that the vendor follows?
    
3. How are data transfers governed? Does the vendor take measures to comply with the applicable data transfer requirements and limitations? Data might not stay in one location. For example, data might be transferred to subprocessors in another country. If so, how does the vendor protect the data that is being moved and what actions will the vendor take to comply with the applicable laws? 
    
4. Any verifications that this vendor has been given? There are many independent organizations that verify the security, privacy, and compliance controls of different technologies, including A-LIGN and CSA. 
    
5. What types of security threats does this vendor protect against? For example, what can this vendor do against malware, phishing, or DDoS? 
    
6. What vendors does this vendor use and how are they secure? Just as you are looking to another vendor, that vendor may also leverage other vendors in their technology. How are they ensuring the security of those vendors? If one doesn’t comply, then the security of the entire tool is compromised. 

A Platform You Can Trust

We’re able to lay out these foundational principles because they are also what guide our own platform. 

For over two decades, we’ve placed security, compliance, and data protection at the core of our product, offerings, and operations at Liferay. Because of our expertise and emphasis on security, we’ve been able to provide trusted solutions to industries where security is paramount, like finance, government, and healthcare. 

Our cloud offerings are based on the Google Cloud Platform and both Liferay and Google commit to providing a robust, secure offering. Additionally, Liferay will handle more of the security tasks for customers on our PaaS and SaaS offerings, including incident management, infrastructure security, and DDoS protection. But we also offer an on-premise deployment option for customers that need to meet very specific security and privacy requirements.

Here’s how we would answer the security measures above, and the type of responses you would want to look for from vendors you consider. 

1. Liferay protects user data with a strong emphasis on data protection. We design our products and offerings with robust security measures to safeguard information, including enforcing strict data access policies, carrying out comprehensive vendor evaluations, aligning our practices with evolving privacy regulations, and regularly educating and equipping our employees, commitments enshrined in our agreements.  
    
2. Though no software product can offer a checklist of features to make your company completely GDPR compliant, Liferay DXP provides tools to greatly accelerate a company’s journey towards compliance. With out-of-the-box features such as data export, data erasure, and user permissions combined with Liferay DXP’s flexible architecture, businesses can adapt the platform to the evolving needs of their data protection strategy. For a more detailed dive into how Liferay ensures it complies with the requirements under GDPR, read more here.
    
3. Liferay does transfer personal data, but implements appropriate safeguards where required by regional data protection laws. Applications running on Liferay’s cloud offerings can also achieve data sovereignty compliance through Liferay’s regional controls, data encryption, and Google Cloud’s Sovereign Cloud. 
    
4. Liferay regularly undergoes independent verification of our security, privacy, and compliance controls to help businesses meet their regulatory and policy objectives and has received the following certifications: SOC 2 Type 2, ISO/IEC 270001, ISO/IEC 27017, ISO/IEC 27018, HIPAA, CSA Start Level 1 and 2, and Spain Esquema Nacional de Seguridad. 
    
5. With Liferay’s infrastructure, organizational, and product security, you can stay protected with: 
   • Intrusion detection system, which enables constant monitoring and the early identification of potential security breaches.
   • DDoS technology enhanced with WAF and AI from Google to protect against known and unknown malicious traffic. 
   • Anti-malware technology on all relevant systems 
      
6. Liferay undergoes a rigorous vetting process of all vendors to ensure that your security is not compromised by any of the vendors we use. 

Liferay’s Commitment to Security 

We’ve made security a priority of our platform so that you can conduct your business operations, with a platform you can trust. To that end, we’ve provided full transparency on how we handle security in our platform and organization. To assess these documents and resources, visit our Trust Center.