- Educate management about cyber threats: Focus management on the benefits and the risks that new technologies pose to the business. If you have addressed the relevant compliance and regulatory requirements, assure your senior executives that these issues are under control. But, also be sure to point out that compliance and regulatory adherence are only two components of risk management. Careful user education, access, system, and vendor management, and system monitoring are also needed to address the full range of risks. Whenever possible, translate cyber threats into what they'll mean for the business, the company's strategy, and its financial status. Educate your management on the dangers facing the company's reputation, brand, and intellectual property.
- Show how cyber security supports the business: A full-spectrum cyber security capability requires attention and commitment from senior executives. Cyber security is a key element of risk management and is best addressed within this context. Use case studies and other examples to illustrate your points. At a minimum, this approach anchors cyber security as a line item in the risk management budget, and potentially as an agenda item at board meetings. Raising awareness in the upper reaches of the organization is just one part of the CIO's job. You also need to choose security solutions that minimize the complexity and time it takes for your end users to perform security-related tasks. This will reduce the probability of human error.
- Know what's going on in your IT environment: Cyber threat management comes down to awareness of what's going on in your environment. It means understanding IT risks and how they manifest themselves. As CIO, you and your teams must maintain high awareness of the components, functions, and uses of IT in the organization. Only then can IT proactively mitigate risks. For example, system and information event management, coupled with external information from intelligence feeds, can help detect log-ins from vulnerable sites. Huge amounts of information exist. The key is to sift the relevant data out from the surrounding noise, organize that information and enhance it with additional intelligence to allow for more robust management of the IT environment.
The road ahead poses significant challenges for CIOs, particularly as it relates to the combination of cyber threats, new technologies, and the launch of new programs designed to tackle them. By moving away from a strictly compliance-driven approach, CIOs can take a strategic, pragmatic view of the real risks impacting their enterprises. Educating your business counterparts and teaming with them will put your organization in a position to tackle these risks holistically. Surely you're up to the challenge.
Irfan Saif is a principal in the Deloitte & Touche LLP Security & Privacy practice.