CIOs have a very demanding job and when it comes to security, their responsibilities become doubly taxing. We have already outlined why this is so, and we have also identified the most important task that CIOs should have, which is to get an overall picture of their capabilities, technology, skills, and policies when it comes to security. You can read “What are the Top Concerns of Every CIO – Part 1” here.
What else should a CIO think about?
1. Control access.
Thanks to BYOD, or bring your own device, employees are using their own smartphones and laptops to access their organization’s networks. Each device is a possible entry point for attackers.
This is the reason why access control is a very important component of an organization’s security. You need to determine who of your employees get to access which resources. There are several ways to limit the access. First, there is the “zero trust” approach where you only grant access to certain parts of an app or a certain set of data that the employee needs to do his or her job. Nobody is given access to the whole networks. If one employee loses his or her smartphone, a hacker would only be able to access a small set of data.
You can also use multifactor authentication. This might involve biometrics, where you can only unlock a device using your fingerprint, or by winking at the smartphone with facial recognition features.
2. Review partners to see if they can be trusted.
In this connected and collaborative world, it is not surprising that companies are finding themselves working with other organizations. And sometimes, data breaches come from these partners, collaborators, and suppliers. As difficult as taking care of your own organization’s cybersecurity, you should worry about your partners’ security as well. As CIO, you should be able to audit the security policies, practices, and technologies of any potential partner.
3. Review security clearance.
There are some industries and businesses that interface with the government. If you work for such an organization, you should have employees and IT staff that have the necessary security clearance to receive and read classified information from the United States government.
It now takes longer to get that authorization, with some people waiting for more than a year to get their clearances.
If you hire or already have staff that would be able to handle these information, then you could cut the time you need to get started on your projects.
4. Know who are attacking the organization and what they have to gain from it.
There are several reasons why cybercriminals are hacking into your systems. They could be looking for confidential information, trade secrets, and personal data. They might want to sell your customers’ email addresses, financial details, and others. Or a nation-state could be spying on another country’s classified files. Still, others are just trying to use your computers to harvest cryptocurrency and other similar activities.
Some of the recent attacks include ransomware attacks that the North Koreans were rumored to have launched and foreign governments collaborating with independent hackers to get into cyber attacks.
When you fall victim to an attack, you should know who attacked you and what information they were looking for. If you know this, you would be able to not only fix the systems where you detect the attack, but also get a fuller understanding of what other systems and resources might be potentially affected.
5. Determine what you need to announce, divulge, or disclose.
What most CIOs fear about a data breach is that information about our businesses and customers might come out involuntarily. Some business executives are concerned about how much to divulge about a breach.
The good news is that the Securities and Exchange Commission has already come out with guidelines on what information you should disclose in the event of a data breach, and who to disclose this information to.
The SEC requires companies to provide details of all data breaches that they’ve experienced all throughout the year. It should be stated in their annual reports and financial statements. There should be a complete description of how severe the incident was, how it was detected, and how the company plans to address it and prevent similar incidents in the future.
The last time that the SEC issued guidelines related to cybersecurity was more than seven years ago.
The new SEC guidelines, however, gives a lot of legroom from the company to move in. In short, the SEC does not really require you to divulge everything, but you need to decide what to divulge so that your customers and stakeholders will be at peace that you are securing your systems enough, without telling the world – and the hackers – what you are doing so that they could circumvent it.
Fortunately, you as the CIO would not have to do this on your own. You can ask for outside help. Hire a consultant to help you figure out just what to tell and what to keep secret. This will also help you get a fresh pair of eyes and objectivity to your projects. Outside consultants would not be afraid to tell you if there is something wrong with your systems or not, as opposed to somebody who worked on that particular project.
6. Know how you can tie up cybersecurity and compensation.
Most CIOs are now thinking about how cybersecurity should affect salaries. For instance, Equifax now evaluates five company executives based on how they are helping the company fix its security problems.
The executives will need to meet the goals set forth in the company’s cybersecurity plan. If they fail, they will receive a smaller bonus. For instance, if Equifax is able to adopt cybersecurity standards from NIST in the agreed time period, and only then the executives will receive their full bonus. Verizon Communications is also toying with the idea of tying cybersecurity to their performance evaluation and incentive pay of their executives
This idea could also be applied to rank and file employees. For instance, they would get better evaluations if they follow security protocols and help secure their devices. Or they get no bonus at all if they lose their smartphones.
Photo courtesy of ecoev (Flickr).