I never subscribed to the “fox watching the henhouse” theory around why Information Security should be part of any other group of an organization other than IT. If you truly want to be secure versus checking the box on a compliance worksheet, then sit that group right next to the people who implement the work. Make them part of the process from initiation through delivery. Those who choose not to structure their organization this way incur something called “technical debt”, meaning they approve the risks and short cuts to get something accomplished with essentially an IOU that they will come back to clean up all the vulnerabilities after the project goes live. Reality is, they rarely ever do, they move on to next.
"The unemployment rate of an information security professional is less than 2 percent in the US"
That being said, here is an illustration of what I consider the ten security essentials every CIO should know:
1) Asset Management: You need to know what you have in order to know what to protect. Spreadsheet tracking is never a good way to go. Make the investment in a tool where it can be automated, and kept evergreen with very little labor managing it.
2) Strategy: Two points to be made here;
a. A strategy and roadmap are not one in the same. Roadmaps should be associated with products; strategy is architecturally oriented and future looking.
b. Hesitate creating a strategy that is longer than three years. In this space, tools, threats, vulnerabilities are moving faster than an organization can keep up protecting itself.
3) Process: Bring security upfront in the project lifecycle. If you can’t get acceptance to be part of business case development, a sign-off participant on functional requirements. Make sure its “pre-funding” stage.
4) Third-Party Management: Growth companies rarely go about it alone. M&A activity, organic growth, all involve multiple partners to help you get there. As due diligence occurs on these vendors, make sure they agree to your security terms, or find another one.
5) Tools: There will be many tools running in your environment, which in itself is performing a need, whether that be vulnerability management, incident management, threat detection, etc but what tools also provide is an ability to centralize and capture intellectual capital. The more documented, and stored information, the less reliant you are on individual resources. We are in a time where professionals in this area are changing companies every 24 months, and compensation seems to have no boundaries. Don’t be a victim to any one specific individual. Protect yourself and your organization.
6) Identity Access: Statistics still prove that there is a far greater change of an internal associate compromising your environment than an outside source. Be diligent in the access they are given. Role-based permissions upfront is standard protocol, but where organizations get lax, is when associated move from job to job internally and their permissions carry with them, and never reset. Adopt tools for this.
7) Culture: This starts at the top. It’s the CIO’s responsibility to make sure the President of the company takes security seriously and makes it a priority of the business. This isn’t has tough as it used to be due to social media’s coverage of all the cyber-crime taking place over the past few years, but the more associates with security backdrop in mind, the better. Campaigns, mandatory security courses, even contests are all valuable efforts.
8) Public Relations: Manage security incidents properly, as they are not one in the same. Again, social media is relentless for these stories. Qualify & Quantify the situation first, in an isolated manner with select individuals, then work with internal communications and marketing to translate the real impact in terms that the public would understand.
9) Compliance: These standards are not enough. If you are simply going about your day trying to meet regulatory compliance standards, then you have already lost. Cyber-terrorists play by no rules, you do! They will always be far more advanced than government mandates; therefore, you have to take your protection plan to another level to keep pace.
10) Talent: It’s obvious that this is as important as getting top talent in any other part of the organization, so I won’t state the obvious. What I would warn is that most organizations pay bands, or overall compensation structures are behind what is happening in the marketplace with this area in particular. Candidates are very slim, some studies have showed that the unemployment rate of an information security professional is less than two percent in the U.S. So they are demanding top dollar, bonus, stock, and relocation assistance. All together its nothing compared to the financial or reputational damage in the marketplace you would have from a security breach, so get on the same page with your leadership team and HR and pay it! Secondly, I would recommend a nice mix of Jr & Sr level talent. Set your strategy up with short and long-term objectives, apply your Sr talent on the short-term objectives, and groom your Jr talent on the long term ones. This will allow them internal career growth opportunity.
Security plays an integral role in the fabric of an organization more today than it ever has. Whether your business is domestic based only or International, these principles apply to both. An effective CIO would not stubborn enough to think that only a technical solution is the answer to safeguarding data. That was the philosophy of the past. Today, CIO’s have to rely on their security partners who are dedicated to daily vulnerabilities in the marketplace, and their expertise on the right tools and processes to incorporate into the environment. This is a game that you never win, never be complacent, consider an “uneventful” days your small victories.