Advances in technology and accompanying cybercrimes move at a lightning pace these days, making it a constant high-speed footrace for your Chief Information Officer (CIO) to keep up. The never-ending threat of data breaches and other data disasters does nothing to ease a CIO’s day or peace of mind.
If you are concerned that your CIO is feeling the pressure of keeping up with security, compliance, and general industry and organizational expectations, it may help to put together a list of security essentials for them.
The Department of Justice (DOJ) recently released a guidance document called The Evaluation of Corporate Compliance Programs intended to provide some key industry clarifications for CIOs. Ideally, and combined with your own organizational ideas, your CIO is likely to take away a great deal of sound and practical direction from the following 10 security essentials to more smoothly perform his or her daily vital tasks.
10 Security Essentials for your CIO
- Compliance Programs Must Have the Appropriate Resources
- The Success of Compliance Programs Relies on Building and Fostering a Risk-Aware Culture
- Establish and Build Relationships for Success at All Levels of the Organization
- Defend the Workplace at All Possible Infiltration Points
- Develop and Implement a Security-by-Design Approach
- Security Compliance Must Align with Other Functions
- CIOs Must Adopt a Risk-Based Approach to Security
- Solid Compliance Requires Metrics That Matter
- Third-Parties Must Conform to the Organization’s Policies and Procedures
- Report, Manage and Respond to Incidents Per Established Protocols
1. Compliance Programs Must Have the Appropriate Resources
The word “resource” appears in the 18-page DOJ document 21 times, meaning that they believe that providing enough resources for your compliance program is extremely important. The prime resources, of course, include adequate staffing and budget. The compliance function requires proper resources to be able to perform audits then document and analyze results before putting a plan into action.
Since the DOJ places such emphasis on resourcing that they demand explanation for any denial of resources, it is important for CIOs remember the importance of explaining the body’s position on resources to your company’s C-Suite and board of directors. They need to know that all resourcing issues will be intensely scrutinized if there were any investigation or prosecution of a data breach or other event.
2. The Success of Compliance Programs Relies on Building and Fostering a Risk-Aware Culture
Everyone in the organization has the power to become a point of infection. Everything staff does, whether it is opening an attachment in a sketchy email or failing to install a security patch, has the potential to cause a negative security event. With these risks in mind, it is crucial that your security enterprise actively includes everyone.
Define risks and goals, educating all users by spreading the word via written, aural and visual means to the point that it becomes culturally ingrained. You want a culture where attention to security concerns is second nature and where careless behaviors toward security are not acceptable. Work to find incentives to create this culture while adopting and implementing tools to track progress.
3. Establish and Build Relationships for Success at All Levels of the Organization
Not only is it a DOJ requirement that CIOs maintain a direct line of communication with the board of directors and audit committee, but it is simply a good idea. Your CIO needs to build and maintain a good rapport with everyone from C-Suite to staff members in no way directly involved with IT or decision-making processes. Positive professional relationships simply make it easier to perform the role effectively in multiple directions.
4. Defend the Workplace at All Possible Infiltration Points
Cybercriminals never stop searching for weaknesses in any given computing system. They will not overlook any connected device, whether a smartphone, laptop or smart refrigerator. Every device in your environment becomes a potential opportunity for malicious attacks. Make sure that centralized management and policy enforcement rule the use of any connected devices. By taking the reins over these devices, your CIO manages chaos while still allowing for reasonable device usage.
5. Develop and Implement a Security-by-Design Approach
Before adding and implementing services for your information systems, it is important to first explore all security considerations. Build security from inception, allowing for regular automated and human-driven tests to track conformance and compliance. This approach builds a better security program and ultimately saves money since the cost of building a security application into a program generally costs far less than trying find a good security fit after build is complete.
6. Security Compliance Must Align with Other Functions
The DOJ makes it clear that compliance must proactively work with other functions, such as procurement, internal audit and third-party vendor management. Also, compliance officers must participate in any merger or acquisition process, including the due diligence phase and the integration process of the new company.
7. CIOs Must Adopt a Risk-Based Approach to Security
Many businesses worry about adopting and implementing a risk-based approach to security because they are concerned that they will miss something and face consequences of accountability. The DOJ reassures CIOs that this is not the case and that a risk-based approach is expected, even if the risk-based program fails to prevent any type of infraction or infiltration in a low-risk area. The DOJ’s guidance report goes on to state that this type of approach helps CIOs avoid devoting a disproportionate amount of time on low-risk areas over high-risk areas.
8. Solid Compliance Requires Metrics That Matter
It is importance that CIOs adopt and implement metrics that are easily monitored, evaluated and acted on to ensure that the security program is running effectively. These metrics must apply to the following:
- Policies and procedures
- Third-party relationships
- Risk management and risk assessments
Here are just a few possible metrics that your CIO might explore:
IT Performance Metrics.
Measuring internal metrics against your own organization’s standards, as well as against environments with similar populations, industries and demographics provides helpful insights on improving performance.
9. Third-Parties Must Conform to the Organization’s Policies and Procedures
Any company with whom your own organization does business, to the extent that they have access to your data in any capacity, must understand your policies and procedures. Service organizations in particular must align their computing system’s internal controls to your own, and you must perform regularly scheduled SOC audits to ensure compliance.
For all other employees third-parties, it is important to simply make your policies and procedures easy-to-find, whether on the company’s website or via contract terms.
10. Report, Manage and Respond to Incidents Per Established Protocols
While it is vital that everyone on staff stays aware of potential risks and behaves accordingly, letting you know if they suspect that something is amiss, it is simply not enough in the current year to stave off potential hackers and other threats.
It is crucial that your CIO develops a company-wide effort to implement intelligent and cognitive analytics, along with automated response capabilities. Such a system can detect and respond to an infiltration attempt far more quickly than humans can, even at our most alert.
Does Your CIO Need More Support in Dealing with Today’s Security Threats on Multiple Fronts?
If your CIO needs more support in adjusting to the new DOJ Guide or with simply improving daily operations, our team at I.S. Partners, LLC. is here to help. We can help your CIO streamline processes and develop ways to get your team on board quickly and completely with strategies aimed at improving network and data security.