Advice for a CIO on making security an issue for everyone
An organisation’s cybersecurity is only as strong as the weakest link. This is why it is vital there is buy in from staff of all levels and that best practice is adopted across the organisation. We know attackers are looking for the easiest route into organisations so building barriers that deter them is a vital first step in ensuring effective defence. As employees are often a weak link in this defence it is vital that CIOs, CISOs and others responsible for providing an organisation’s defence make sure security is on everyone’s radar.
What should be part of the CIO’s cybersecurity policy?
In the first instance make it clear that employees are accountable. Increased accountability will ensure that greater care is taken by employees; and by giving employees proper cybersecurity training, they will better understand what is at stake. If companies make a list cybersecurity best practices that employees understand and enforce them, employees are more likely to follow guidelines. The main issue to consider is that apathy and reversion to the status quo should be expected, all too often employees think that security is not their responsibility so it is a case of constantly training and ensuring that best practices are both updated and followed.
At the end of the day, all staff need to be vigilant and this requires training and the training should be ongoing and frequent or else employees forget and revert back to old behaviours
One example of where staff training and staff accountability tends to be done well is in government and military intelligence agencies. These types of organisations are known for holding people accountable for digital security. It doesn’t matter if you are a one-star general or a three-star admiral. If you are the person in charge of a system and that system gets compromised, someone will take the blame for it. Everyone knows this, so they work extra hard to take care of their systems. They take it very seriously.
Organisations and the CISO in particular have to take responsibility for investing in well-managed security tools, which have controls designed to prevent, detect, contain and remediate data breaches. Furthermore, organisations should take care in sharing simple safeguarding techniques amongst employees and make sure that they are educated around the type of attacks to expect, but ultimately protection systems need to be put in place to keep hackers out.
How should security be implemented?
It is important that you give your employees proper cybersecurity training — and make sure it’s comprehensive enough so that employees understand what’s actually at stake. A lot of the training material that is circulating today is old and unrealistic.
For instance, don’t simply send someone a Power Point presentation on why ransomware is bad. Use phishing exercises and show what happens when you lock a computer down with ransomware. These shocking real world examples are likely to inspire a greater awareness and thinking around security. Buy in to the importance of cybersecurity from employees is vital.
How does the CIO implement a security strategy relevant to the board?
In some ways this is tricky and there will be many factors influencing how a CIO goes about creating the buy in needed to implement an effective security strategy. Some of the main factors affecting how the CIO should go about presenting their ideas include: company culture, understanding and prioritisation of security, size of organisation, industry sector and many more. As few things will be as important as employees buy in, especially from C-Suite executives, it is vital that this is done well. The CIO must be the spokesperson and the figurehead for ensuring cybersecurity is prioritised and done well, rather than simply treated as a cost centre that can be cut financially.
The board in particular will need to have the strategy presented in a way that emphasises ROI and the risk to the business if a strategy is not implemented. This is the kind of language that resonates with them and aligns with their interests. It is also important that the C-Suite executives lead by example, setting a standard that can then filter down through the whole organisation.
How does the CIO ensure that employee and customer details remain private?
The CIO should prioritise enforcing 24/7 security with a team that is ready to battle all day, every day; implementing stronger physical security measures and policies to protect against internal threats and theft and unwanted devices coming in and infecting systems. Using two-factor authentication and not forgetting about the physical security associated with devices that access the network are vitally important factors to keep in mind.
Importantly, IT decision makers need to think more strategically. The bad guys are looking for ROI just like the good guys, and they don’t want to work too hard to get it. Instead of focusing on doing everything right 100 percent of the time, IT leaders can be more effective by doing a few things very strategically with the best technology available. It’s the cyber security equivalent of the zombie marathon — as long as you can avoid being the slowest in outrunning the zombies, you minimise risk.
Instead of buying a single solution for each issue, businesses must trust security solutions from best-of-breed vendors and partnerships that answer a number of security needs.
Effective cybersecurity is not rocket science. It just requires paying attention to the technologies that are available and using them in the way they are supposed to be used. Companies that take this approach will gain a powerful presence online, and hackers will go elsewhere and find an easier target to attack.
By Duncan Hughes Systems Engineering Director, EMEA, A10 Networks