Organizations where everyone works together to build a strong defense are more likely to succeed despite a lack of resources, proliferating security threats and new technologies.
By Steve Durbin
The rapid evolution of technology, in combination with the economic upheaval of the last few years, has caused a massive shift in the security landscape. As a result, businesses are discovering that they have even more limited resources than ever before, all of which must be prioritized to the areas of greatest need or return. The task of determining priorities can be difficult in itself, especially when the imperative is about delivering more for less, both in terms of new investments and existing resources.
These monumental challenges cannot be met by a compartmentalized IT strategy because every piece of the modern enterprise runs on connectivity and data. As IT runs through every department, so must security initiatives. CIOs need to be proactive in promoting and supporting new business based on strong security and business-based risk assessments.
It has become essential for CIOs to connect with the board of directors so they approach new technology and security initiatives with a risk vs. reward mindset. New technologies are often adopted as a way of differentiating an enterprise and gaining an advantage over competitors, but without a robust, cost-benefit-risk analysis, organizations could end up standing out for all the wrong reasons.
Managing information risk is critical for all organizations to deliver their strategies and initiatives—and to reach their goals. Consequently, information risk management is relevant only if it enables an organization to achieve these objectives, ensuring it is well positioned to succeed and is resilient to unexpected events. An organization’s risk management activities—whether coordinated as an enterprise-wide program or at functional levels—must include an assessment of risks to information that could compromise success. Ask the tough questions, such as "If the worst happened, could we honestly tell our customers, partners and regulators that we had done everything that was reasonably expected?"
You Need to Know What Went Wrong
One of security's primary aims is to prevent negative incidents. However, it’s almost impossible for organizations to avoid such events. While many businesses are good at incident management, fewer have a mature, structured approach for analyzing what went wrong in the first place. As a result, these businesses are incurring unnecessary costs, accepting inappropriate risks and possibly destined to keep repeating their mistakes.
Every organization needs mature incident management capabilities. Without a proper impact assessment, a business doesn’t know the incremental, long-term or intangible costs of a security incident, but those costs affect the bottom line and the brand’s reputation. Without knowing the cost of potential incidents, organizations will continue to misdirect resources, fix symptoms instead of causes and not spend money where it’s most needed to reduce the odds of a major data breach or other security incident.
Most organizations have a limited appetite for investigating security incidents, due in part to the understandable need to get back to business as usual. It is the responsibility of the CIO to ensure this vital security step is not overlooked. Skipping a thorough investigation of an incident means the organization misses a valuable opportunity to learn from it.
Take Stock Before It’s Too Late
Enterprises have varying degrees of control over today’s ever-evolving security threats. Organizations where everyone works together to build a strong defense will most likely thrive despite the immense pressure created by reduced resources, proliferating threats and evolving technologies. New perils arise with the speed and unpredictability of a force of nature—and all businesses are vulnerable to damage. Organizations of all sizes need to ensure today that they are fully prepared and engaged to deal with these ever-emerging security challenges.
About the Author
Steve Durbin is global vice president of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
To read his previous CIO Insight article, "Security Risks: It's All About How You Manage Them," click here.