Being a chief information officer is difficult. This is especially true when cyber threats are becoming more and more relentless. Concerns of every CIO can come from just about anywhere. A CIO’s worst enemy is no longer just the hacker trying to breach the company’s systems. It could be a careless employee who lost his or her device somewhere. Or it could be a disgruntled employee who steals a hard drive with valuable information in it. Sometimes, even components of your systems might be compromised; case in point was the “catastrophic” vulnerabilities found in Spectre and Meltdown, which affected almost every computer chip that was manufactured over the past two decades.
In 2017, there were close to 900 reported cyberattacks or security breaches. And we all know that not all cyberattacks are detected in time, or if they are, they are not reported. The bad news is that there is always another new vulnerability to exploit, and there are always cybercriminals who are creative enough to modify their attacks, rendering your security systems useless in the face of new attacks. Security attacks are always evolving, becoming even more persistent and unrelenting. These can target computers, your servers, and even an employee’s smartphone.
Cybersecurity: The toughest job of CIOs
The thing is, cybersecurity is a very difficult job to do but you should make sure that you do it right. The consequences and costs of a breach can break your company. The word disastrous would not even begin to describe what would happen if a breach exposes your customer data or your company’s trade secrets. You would lose your customers’ trust and your reputation would take a hit.
Consider this. According to the Cost of Data Breach Study, the cost of losing one data record is $141 per record on the average. This translates to a cost of more than $3.6 million for every data breach. According to the 2017 study, in the United States, data breaches cost around twice as much, costing companies $7.3 million per incident of breach.
Not only that, you face the possibility of paying a hefty fine and facing heavy sanctions. For instance, with the new General Data Protection Regulation (GDPR) rules, you can be fined up to 20 million Euros or 4% of your company’s annual revenues, whichever is higher.
Just think about this. If GDPR was in effect when the 2013 Yahoo data breach incident happened, Yahoo would have been fined anywhere from $80 million to $160 million. Equifax also had a huge cyberattack in 2017. The records of more than 143 million clients were compromised and if the GDPR was in effect back then, that would have meant up to $124 million in fines.
With these in mind, what are the biggest concerns that most CIOs face today?
There are a lot, but what is the first and top concern for every CIO? It should be being able to answer this question: How vulnerable are your systems and organization?
Different companies have different data and they gather different types. We all have a ton of information on hacking attempts and different vulnerabilities. As CIOs, you should also have an idea on your company’s level of exposure to these vulnerabilities. You should be able to quantify the risks to help you know what steps to take in order to minimize these risks or eliminate it totally.
The challenge here is that there are no standards that are available in determining how ready you are to safeguard your systems from cyberattacks and other threats. However, there are industry guidelines that can help you. There are guidelines from the National Institute of Standards and Technology (NIST).
This is not to say that the NIST guide is applicable to every company. It is not. As CIO, you still have to get an appreciation of the risks and your own system, and come up with your own set of metrics and guidelines to monitor the health of your security technology and protocols.
What’s more, you should be able to communicate this with other decision-makers and executives in your company. This is easier said than done. One way to make it easier is to make a list of the risks and then rank them according to importance. This will help you get other leaders in your organization in line with your security priorities. This ranking would be constantly changing, of course, but it would serve as the perfect reference point for your security priorities.
Another thing you could do is to see how you stand with the rest of the industry. There are security firms that help rate organizations, such as SecurityScorecard. SecurityScorecard helps you know if your security policies, technologies, and protocols are at par with the industry average. Additionally, you could check out how many of your software are updated to the latest versions. This gives you an idea of how efficient and effective your patching procedures are. Software that is not updated has a lot of vulnerabilities that hackers can use to get into your system.
Furthermore, you should also monitor how fast you respond to possible and real cyber threats. You can then compare your response time to the industry average. Carnegie Mellon University publishes these industry averages.
Knowing how secure you are, how effective your security policies are, and how you rank among other business in the same industry are a good way to ramp up your security. This will help you know if there are holes that need plugging, and if there are areas of concern that you might have missed. If you have security systems, technologies, and policies that are at par with other companies, then you should give yourself a pat in the back. But if there are things that are lacking, be it technology, skills, or policies, then you should ramp up.
But that is just the first step. There are others. You should be able to outline the following:
- Who do you give access to different resources?
- Do you have trustworthy vendors, suppliers, and other partners?
- What are cybercriminals and why are they doing it?
- Will you get security clearance?
- What do you need to divulge or disclose?
- Will security affect compensation?
Photo courtesy of ecoev (Flickr).