CIOs need to be aware of bring your own everything and cloud trends in the workplace, new privacy and data breach regulations, and evolving security threats.
By Steve Durbin
At the Information Security Forum, we know that cyber-security is a key business priority as organizations become progressively more digital and cyber-threats grow, both in number and sheer sophistication. With the explosion of today’s digital age, cyber-security is one of the principal issues CIOs. In order to be successful, CIOs must prepare themselves for an always developing cyber-security threat landscape and, with the help of the C-suite, develop a proactive strategy to prepare their organization for today's omnipresent dangers.
For years, CIOs have been trying for a way to get a seat at the proverbial big table and become a partner to the business. With that being said, the time has come for the CIO to be the CEO’s business partner, providing the technology linkage between IT enablement and security and risk management. In my experience, when the CIO and CEO engage successfully, organizations are more likely to realize the benefits of their strategic initiatives. Effective engagement enables organizations to take advantage of the opportunities presented by cyberspace and today’s technology, while addressing the associated risks.
The CIO’s function is going through a process of significant change, but so are businesses. The CIO's role has evolved significantly from being focused on IT to being focused on business risk and speaking the language of business to get the message across to the CEO and the board of directors, who are most likely not as technologically savvy as the CIO. With regard to a security incident, today’s CIO must have a thorough understanding of what happened and why it is necessary to properly understand and respond to underlying risks. Without this understanding, risk analyses and the resulting decisions may be flawed, leading organizations to assume greater risk than intended.
Three Areas of Security
I want to call attention to three specific areas of information security that I believe all CIOs need to be familiar with. Note that each of these domains is not mutually exclusive and can combine to create even greater threat profiles. While they are not the only challenges that CIOs should be mindful of, they are the ones that CIOs should be keeping a close eye on.
1) BYOx and Cloud Trends in the Workplace
As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities, and the deployment of poorly tested, unreliable business applications.
If the CIO believes that bring your own everything (BYOx) risks are too high, he or she needs to stay abreast of developments and make the necessary adjustments. If the risks are acceptable, CIOs should communicate directly with the CEO and board of directors to ensure the BYOx program is in place and well structured. Keep in mind that if implemented poorly, a personal device strategy in the workplace could face accidental disclosures due to a loss of boundary between work and personal data and more business information being held and accessed in an unprotected manner on consumer devices.
Further areas of concern for CIOs in this space are the continuing move to the cloud and the associated challenge of assessing security as a service for cloud-based applications, some of which may be coexisting in the organization’s ecosystem without the express knowledge or permission of the CIO’s team. Bring your own cloud is an emerging threat vector and warrants constant attention and oversight.
2) Privacy and Data Breach Regulations
Most governments have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of personally identifiable information, with penalties for organizations that fail to sufficiently protect it. As a result, organizations need to treat privacy as a compliance and business risk issue in order to reduce regulatory sanctions and commercial impacts, such as reputational damage and loss of customers due to data breaches.
Furthermore, we are seeing increasing government plans for regulation of the collection, storage and use of information, along with severe penalties for the loss of data, particularly in the European Union. Expect this trend to continue and develop further, imposing an overhead in regulatory management above and beyond the security function and necessarily including CIO, CEO and board involvement.