[BreachExchange] It’s Time CIO’s Get Real About Data Security

[Audrey McNeil]

https://www.informationweek.com/strategic-cio/its-time-
cios-get-real-about-data-security/a/d-id/1329062?_mc=RSS_IWK_EDT

Considering how the past few years have gone, it came as no surprise that
the first half of 2017 has already been a terrifying ordeal in terms of the
state of IT security. The WannaCry ransomware attack dominated headlines
around the world becoming the largest and fastest growing malware in
history. Additionally, data and infrastructure security professionals are
being inundated with a constant stream of newly identified security flaws
on hardware and software deployed on production networks.

It's safe to say that our battle against cyber-criminal activity is not
going as well as many had hoped. It then begs the question, what approach,
from a messaging standpoint, should a CIO take when discussing data
security with other C-level execs and stakeholders? While some CIO's might
choose to put on rose color glasses and pretend everything is just fine,
others are beginning to take a more realistic approach.

The times are long passed where IT leaders can simply plead ignorance when
it's discovered that their infrastructure has been breached. That's why I'm
often shocked to still hear CIOs boast about how “tight” they believe their
security to be. Clearly, this is the wrong approach to take -- even when
uttered behind closed doors. Instead, enterprise networks should be looked
at as living, breathing entities. They may be completely healthy one
minute, yet succumb to a virus the next. Even when considerable time,
money, and effort are spent to secure a network, there’s always going to be
a weak point. Even with advanced artificial intelligence to aid in the
fight, malware authors are managing to find plenty of ways to evade
prevention mechanisms. The bottom line is, we should assume that if someone
wants to break in -- they'll undoubtedly find a way.

But at the same time, a CIO can't simply throw their hands up and tell
stakeholders that the sky is falling and all hope is lost. Instead, they
must paint a picture that IT security is an area of IT that’s in continuous
fluctuation. Furthermore, they need to convey that two key factors play a
role in whether the organization is more or less at risk from an attack or
breach. The first factor is the speed at which the organization can respond
to a threat. This is a wide-reaching consideration that covers multiple
areas of IT security, including tools automation, staff skillsets and
escalation procedures. Speed is everything in a field where every
millisecond counts.

The other factor that significantly impacts the risk an enterprise
organization takes regarding data security lies in the contingency plans
and procedures that are enacted once a breach occurs. Because we can't
possibly plug all holes that are exposed to the bad guys, threats can be
significantly minimized using contingency plans. For example, if an
enterprise organization maintains isolated, offline backups, they are
largely immune to malware exploits. Other contingency plans can address
DDoS or virus outbreaks. These days, contingency plans are as important as
the security tools put in place to prevent the security threat in the first
place.

If you’re a CIO – and you want to “stay out of the headlines” – the way you
message data security threats can work to your advantage, if it's done
properly. Instead of putting on that fake smile when telling everyone how
there’s nothing to fear, it may be beneficial to be far more honest with
stakeholders. That way, their expectations are more in line with the actual
truth and less in line with false expectations that nothing bad can ever
happen. Let them know about your strengths, weaknesses and keys to success.
By doing so, you might find that injecting a dose of reality can help build
relationships that foster more interest and support in the protection of
company data moving forward.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170606/546b3e7f/attachment.html>