Business owners are becoming increasingly concerned with the proliferation of technology in the workplace. Innovations such as BYOD, cloud, global access and social networking have many CIOs spinning their wheels on how to effectively secure their data and protect valuable intellectual property.
In this (n)ever-changing threat landscape, companies and governments are constantly battling organised cybercrime and hacktivism. With malware such as Flame, Stuxnet and Shamoon in the modern day cybercriminals’ arsenal, CIOs need to stay one-step ahead of the game and prepare for attacks accordingly.
Let’s take a look at security measures used today and what initiatives can be implemented right now to increase your worth to your organisation and protect against advanced cyberattacks. Through experience and discussion with peers, I have determined that the top five initiatives to have a successful security program and keep your company safe are:
1. Understand your business.
This may seem infantile, but we aren’t trying to be patronising. Security does not run the company, even in the security industry. Many times profit-building initiatives, such as sales and marketing, tend to trump or not include security. In an effort to change this, CISOs need to be actively involved with their company’s product/service development lifecycle and integrate security in a strategic way that enhances its conversion to cash.
The risks and threats facing your organisation are extremely real and may cause potential fallout if you elect to take a more reactive approach to security. Stay proactive by informing your board of directors (BODs) that security can be a major financial differentiator. An example might be to get involved in the products your company produces. Unlike other groups in IT, security needs to think about the threat. You need to incorporate this thought into every process, strategy and communication. Increased security can equal increased profits and preservation of company data. That said, do not rush the planning stages of your IT security strategy. The slow way is the fast way when it comes to an effective, methodical IT security architecture.
2. Understand the role of security
In today’s environment, technology consumes us. We typically forget about people and processes, which are really what makes our companies successful. As leaders, we need to sell ideas. Technology alone is a Band-Aid and needs to go hand-in-hand with other elements. If you want to achieve comprehensive IT security, you must integrate governance and processes to ensure success. In addition, education is imperative. Educate up, down and across. All of your employees, from the BOD to customer service to your facilities department, should have a mutual understanding of your department’s mission and strategies. One way to cultivate this understanding is to breach your own organisation. This will test your employees’ knowledge of current threats, how to spot them and will give you a good idea of how they respond. This is also a great item to share with the organisation. Another way could be to challenge your helpdesk to identify how they would steal a password during the reset process. This will identify potential misuse and abuse cases. It will also educate the group on external threats. Most employees are interested in this and might even consider it fun to put on the “black hat” every now and then.
3. Understand "information"
Understanding the relative value of information is a powerful tool. Your ultimate goal should be to obtain wisdom and knowledge about the IT security function and how it relates to your company. To move from being a security operation group to a security intelligence team. You can’t just have data and information, you need to have the ability to analyze that information and leverage your findings to tell a compelling story. In doing so, you enable IT to design a security program that sufficiently protects your organisation from data loss and theft.
Another aspect of understanding information is leadership. Your leadership team shouldn’t just seek to lead your department. We must act as company leaders to provide clear messaging, relevance, context and timeliness of reporting vital information to senior management. Only then can effective decision-making take place. It also helps to get buy-in from those guys that just see margins and your security program as a line item in their budget.
4. Establish governance
By definition, governance is the ability to outline expectations, grant power and validate performance. This can be achieved by creating a powerful mission statement around your information security initiatives within your organisation. By doing this, you will have clearly defined who IT security reports to, along with their roles and responsibilities. Ensuring operational alignment across all departments will help engage your organisation greatly, making them more aware of your security architecture.
5. Convert risk into funded initiatives
Last but certainly not least, you must leverage your governance model to transform information security initiatives into funded efforts. When you collaborate with senior management to determine your mission, priorities and initiatives, your projects will inherently turn into sponsored goals supported across the board. It is also imperative to keep senior management in the loop as far as risks, news and information is concerned. Your board of directors wants to see your initiatives and what you have to deliver, not how you can maintain the status quo.
Adhering to these initiatives can help build a strong foundation for your organisation’s security strategy. It’s all about defining risks, establishing security and then striking a balance between the two. Waste no opportunity to educate. Every compromise and breach we read about is a moment for you to capture the threat, communicate the risk and build a strategy. You then plant a seed for later efforts, communicate what you are doing about it, and sell your ideas. As long as you keep a proactive mindset, you will be in a better position to thwart advanced attacks and safeguard your company’s data.
Gerry Tucker is the ANZ country manager of Websense.