Alex - stock.adobe.com
Defending organizations against hackers and keeping information safe are critical endeavors -- but they aren't easy.
Information security (infosec) has evolved to be one of the most complex aspects of business today and requires a formalized approach. With modern cybersecurity threats seeking greater harm than ever, proper collaboration between IT and infosec leaders and teams is critical.
Looking at the big picture, resilience is key to security. The question is: How can the CIO prepare and help minimize the impact of security events when they occur? Approaching information security in the right way increases the odds of building a strong program infused with resilience. Aiming to stop all successful exploits, especially those related to modern security challenges, such as working from home, ransomware and AI, is both impractical and unreasonable. However, building in controls and resilience to absorb the impact is much more realistic.
For example, the CIO can help identify the necessary technical controls to minimize remote work risks to cybersecurity and infosec that the CISO and their staff detect. CIOs can also build endpoint security controls to prevent and mitigate the threat and impact of ransomware. The CIO should consider working with the CISO and legal counsel to determine best practices for AI usage. This process could include strategies on how to deal with external threats by others using AI against the company.
Here are four information security essentials CIOs need, plus a formula for ensuring long-term resilience.
1. Create an infosec mission
All practical business endeavors must begin with direction.
Do you have a security program charter? If not, now's the time to document the organization's commitment to infosec initiatives and its overall approach to IT governance and compliance. The CISO might have previously created a draft of this document. The CIO and the CISO need to collaborate on a functional working document.
The program charter should establish requirements to meet the cybersecurity, information security and privacy expectations of all internal and external stakeholders. Each team should describe how they'll work together to minimize risks associated with modern IT-related security threats to assets under their responsibility.
2. Determine roles and responsibilities
The CIO can work with the CISO, CSO and chief risk officer to establish a clear vision of the organization's security direction. This should outline each role's infosec responsibilities. This process might also involve legal counsel and internal audit. Doing so helps set expectations and minimize the possibility of any gaps being left open for security threats, vulnerabilities and risks to sneak in over time.
3. Form a security committee
IT and security professionals cannot be the sole stewards of cybersecurity and infosec within the business. Many organizations still operate security as if that's true, but that never works in the long term.
The security conversation should include employees from finance, legal, HR and others as needed. It's not enough to get approval; encourage feedback and solicit direct input on how to improve. You might be surprised how easily people outside of security can solve big security problems.
The committee should meet periodically and consistently to discuss meaningful issues regarding security oversight, rather than simply discussing IT project status updates.
4. Grow through specific and concrete goals
Clear guidance is necessary to execute missions and other initiatives. This step is where concrete goals come in. Well-written plans make or break a security program.
The secret to successful goal management is to do the following:
- Determine what you want to accomplish, and write it out in the present tense -- for example: We fully understand our work-from-home risks.
- Outline the steps you need to take to accomplish the goal -- for example: We initiate and oversee information risk assessments that examine technical issues and business processes. We roll out specific technologies that can help create the proper visibility and control to minimize the risks and effects on the business.
- Set a specific deadline for your goal, and hold everyone accountable -- for example: Within the next three months, we will understand specific work-from-home risks. Six months beyond that, we will have implemented the necessary systems and processes to address each risk, along with meaningful metrics that help us ensure that everything is working as intended.
The CIO might work closely with the CISO and the security committee for this latter part.
These priorities are key for a well-rounded security program. Still, it's often rare to see these goals practiced in a structured and measured way in even the most formal business settings.
The formula for strong infosec
Companies should establish expectations and ongoing diligence to develop an infosec program beyond its core components. However, it also requires a specific approach for those involved to strengthen infosec significantly to ensure long-term oversight and success.
First, the organization should understand what it has in terms of systems and information assets. In many situations, stakeholders don't fully know what they're protecting, which can waste time, money and effort. Doing so is analogous to building a business with no goals and, therefore, no direction.
It's not uncommon to see IT and security staff assuming that the other party is taking care of this step. Without knowing the essence of why and what the organization's doing with security, it's going to be difficult to master any part of it. A configuration management database might facilitate this step, but other efforts, including ongoing manual reviews, will likely be required. The CIO should fully map out the organization's physical and logical assets.
Next, the company should understand the types of risks the information assets pose. The CISO should lead periodic and consistent vulnerability and penetration testing, information risk assessments and internal audits. Many corporations continue to come up short in understanding levels of risk across the organization.
The final step is to follow through. The proper security stakeholder must carry out any appropriate actions, whether that's the CIO, CISO or another stakeholder who takes the lead. These procedures might include implementing additional technical and operational controls, defining clear security policies and standards, and enhancing user education through security awareness training.
Many security programs fall flat in this phase because those in charge don't fully execute the proper steps. This situation often happens because of undefined expectations and confusion about roles and responsibilities. Many security initiatives also fail to launch because of a lack of security culture throughout the organization. There's never enough time, budget or political backing. Be careful not to fall into this trap.
Security requires leadership support
In the end, security comes down to defensibility. Are you going to be able to defend the company's security actions as the leader of IT? By following the steps outlined above, CIOs and other security stakeholders can greatly increase the chances of success.
Still, it can't stop there. The CIO must ensure that the executive management team supports infosec initiatives. For example, virtually all security events end up on the lawyers' desks. Is the company's legal counsel on board with the security program? It's wise to get the attorney involved before a significant event.
Company leaders, including attorneys, should have access to all the necessary data to make informed decisions. This knowledge can help guide their decisions about the security program. Working closely with legal counsel and other stakeholders on incident response tabletop exercises tailored to specific business risks can bring everyone together and support the necessary security buy-in.
A thorough review of the organization's security program will likely reveal gaps or opportunities for improvement, such as exploring ways to create a culture of security. In infosec, IT leaders often play a crucial role by setting an example for others. Even though IT leaders might not notice it, others are watching now, and they'll be watching once a security event occurs. A professional response to security challenges requires preparation, which can support any ongoing security initiatives.
Working on security now gives CIOs far more control over strategies and messaging rather than waiting until they are forced to react under pressure once an incident or breach occurs.