Three Things CIOs Should Know About Cyber-SecurityBy Steve Durbin | Posted 08-27-2014
Three Things CIOs Should Know About Cyber-Security
By Steve Durbin
At the Information Security Forum, we know that cyber-security is a key business priority as organizations become progressively more digital and cyber-threats grow, both in number and sheer sophistication. With the explosion of today’s digital age, cyber-security is one of the principal issues CIOs. In order to be successful, CIOs must prepare themselves for an always developing cyber-security threat landscape and, with the help of the C-suite, develop a proactive strategy to prepare their organization for today's omnipresent dangers.
For years, CIOs have been trying for a way to get a seat at the proverbial big table and become a partner to the business. With that being said, the time has come for the CIO to be the CEO’s business partner, providing the technology linkage between IT enablement and security and risk management. In my experience, when the CIO and CEO engage successfully, organizations are more likely to realize the benefits of their strategic initiatives. Effective engagement enables organizations to take advantage of the opportunities presented by cyberspace and today’s technology, while addressing the associated risks.
The CIO’s function is going through a process of significant change, but so are businesses. The CIO's role has evolved significantly from being focused on IT to being focused on business risk and speaking the language of business to get the message across to the CEO and the board of directors, who are most likely not as technologically savvy as the CIO. With regard to a security incident, today’s CIO must have a thorough understanding of what happened and why it is necessary to properly understand and respond to underlying risks. Without this understanding, risk analyses and the resulting decisions may be flawed, leading organizations to assume greater risk than intended.
Three Areas of Security
I want to call attention to three specific areas of information security that I believe all CIOs need to be familiar with. Note that each of these domains is not mutually exclusive and can combine to create even greater threat profiles. While they are not the only challenges that CIOs should be mindful of, they are the ones that CIOs should be keeping a close eye on.
1) BYOx and Cloud Trends in the Workplace
As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities, and the deployment of poorly tested, unreliable business applications.
If the CIO believes that bring your own everything (BYOx) risks are too high, he or she needs to stay abreast of developments and make the necessary adjustments. If the risks are acceptable, CIOs should communicate directly with the CEO and board of directors to ensure the BYOx program is in place and well structured. Keep in mind that if implemented poorly, a personal device strategy in the workplace could face accidental disclosures due to a loss of boundary between work and personal data and more business information being held and accessed in an unprotected manner on consumer devices.
Further areas of concern for CIOs in this space are the continuing move to the cloud and the associated challenge of assessing security as a service for cloud-based applications, some of which may be coexisting in the organization’s ecosystem without the express knowledge or permission of the CIO’s team. Bring your own cloud is an emerging threat vector and warrants constant attention and oversight.
2) Privacy and Data Breach Regulations
Most governments have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of personally identifiable information, with penalties for organizations that fail to sufficiently protect it. As a result, organizations need to treat privacy as a compliance and business risk issue in order to reduce regulatory sanctions and commercial impacts, such as reputational damage and loss of customers due to data breaches.
Furthermore, we are seeing increasing government plans for regulation of the collection, storage and use of information, along with severe penalties for the loss of data, particularly in the European Union. Expect this trend to continue and develop further, imposing an overhead in regulatory management above and beyond the security function and necessarily including CIO, CEO and board involvement.
Three Things CIOs Should Know About Cyber-Security
For the multi-nationally dispersed organization, this development represents no end of challenge to the CIO who has to provide the infrastructure across multiple domains and legislative environments. The board of directors is concerned about connectivity and business effectiveness across the enterprise, and CIOs will need to ensure this is done effectively and efficiently without falling foul of emerging privacy and data management legislation.
3) Data Security Threats
Attackers have become more organized, attacks have become more sophisticated, and threats are more dangerous, and pose more risks, to an organization’s reputation. In addition, brand reputation and the trust dynamic that exists among suppliers, customers and partners have appeared as very real targets for cybercriminals and hacktivists.
With the speed and complexity of the threat landscape changing on a daily basis, all too often we’re seeing businesses suffering both reputational and financial damage. The CIO needs to work with the CEO to ensure the organization is fully prepared to deal with these ever-emerging challenges by equipping their organizations to better deal with cyberattacks on their data. Vulnerabilities exist throughout most supply chains, providing attackers with the opportunity of getting hold of intellectual property and corporate sensitive data through third-party access, which is a real headache for CIOs who are dependent on a multisourced provider and support strategy to run their systems.
Being Prepared Is Key
Today, the stakes are higher than ever before, and we’re not only talking about personal information and identity theft. High-level corporate secrets and vital infrastructure are constantly under attack. Organizations need to be aware of the important trends that have emerged or shifted recently, as well as those that they should prepare for in the near future.
The time is now for the CIO to step up and work with the CEO and the board of directors to ensure that their organization is better prepared and engaged to deal with these ever-emerging challenges. By seizing the opportunities that cyber-security presents, CIO’s can successfully raise their profile in the C-suite and increase their level of engagement across the organization, which are two of the main objectives of most ambitious CIOs.
About the Author
Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
To read his previous CIO Insight article, "Why Security Awareness Programs Fail," click here.