Cybersecurity Awareness II- Getting Your CEO’s Attention

Last time we discussed development and implementation of a strong, proactive enterprise-wide information security program encompassing governance, policies and standards, workforce awareness and training.

Companies regularly invest in business technology software because they know that manual analysis of the massive amounts of data collected today is an impossible task. Automating the analysis process enables businesses to extract the data necessary not only to operate, but also to stay ahead of its competition. But protecting the data that drives the business seems to be a step-child. Development of comprehensive security programs with appropriate security intelligence technology just can’t seem to gain traction in the executive suite, despite the risk at any point in time a business’ data may become incomplete, wrong or – even worse – erased because its security tools failed to recognize a vulnerability.

What are the challenges to Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs)? They don’t know much about the data. Data comes in through multiple sources and media – through the Company website, email, product registration cards, contest registration slips dropped in a box at a retail store, and often through business applications over which CIOs and CISOs have had little or no control.

Because they don’t know the data source, they don’t know who owns the data. Not all data needs protection. It’s too costly to protect everything anyway. But if you don’t know what you have, who owns it, where it resides and the reason it was collected, the data can’t be classified. As a result, even minimum controls and performance measures, which may be driven by government regulation as well as company policy, cannot be set. These among others are the issues that keep CIOs and CISOs up at night.

Efficiencies resulting from centralizing security intelligence tools and information reduce costs while enhancing threat detection and improving incident response, all of which goes right to the bottom line. Regulatory compliance and meeting PCI standards are big sticks, the cost of which could be reduced through a centralized comprehensive program. The inability to adequately comply results in penalties, fines, investigations and often ongoing monitoring - sometimes for as much as 10 years. But cybercrime run by organized crime is a $1 trillion business annually. Envisioning the company name in headlines associated with a major security breach may be what it takes. Perhaps fear is the biggest motivator.

Next time – Cybersecurity Awareness III: Managing Third Party Risk

SC
MR