Rethinking your Cybersecurity Approach: Thoughts from a CIO
October is National Cybersecurity Awareness Month, and this week the theme is “Cybersecurity in the Workplace is Everyone’s Business.” As CIO of Forcepoint, I’m keenly aware of how important it is for cybersecurity to be a shared concern across the business. As cyber attacks rise exponentially, and the attack surface continues to expand, I know that my peers are also increasingly attuned to this issue, while many struggle to keep up with the ever-changing landscape.
I hear often from partners and customers about their concerns for protecting employee privacy, anonymizing sensitive information, and being able to extract the signal threat alerts from the overwhelming noise of available data. With the CIO’s attention pulled in a thousand different directions, how should she begin to implement an action plan for security in the workplace? In this blog, I propose a few key areas for my fellow CIOs to keep in mind as they work to strengthen their security policies and procedures.
Knowledge is Power
I know two things to be true: security begins with people, and knowledge is power. With that in mind, educating everyone at your business from the C-Suite to the salesforce about security best practices should be your first order of business. Too often, the CIO tries to speak to stakeholders in technical terms, but security is everyone’s business. To reach everyone, you have to speak their language.
Consider making education around security experiential rather than compliance-based. The people within your organization need to understand, at an individual level, why security best practices matter to them, to their business, and to their customers and partners. For example, instead of teaching people what phishing is by way of a training module or slide deck, conduct a phishing experiment. When someone takes the bait, they immediately receive information on how to say safe, creating a much more powerful learning experience.
Always be Thinking of the Business
Be sure to have a strong architecture approach to security. These days, we’ve moved way beyond the era of “protect the end device and the perimeter.” Think through what your security program is going to comprise of in an era of BYOD, shadow IT, and Cloud applications. And while you’re looking at the big picture, consider the business implications of your security architecture (and be sure to communicate them clearly!).
Speaking of the business, never forget that you are part of a broader team, and that your shared mission is to support the business. From that perspective, it's up to you to shift security operations from the lens of “necessary evil” to “critical business infrastructure.” You would also do well to adjust the tone from “naysayer” to “enabler.” It’s important to develop a business culture that positions security as a force for good within the organization, so that employees are less likely to try to work around security protocols. This means understanding when, and why, members of your organization are circumventing security protocols, and partnering with them to find solutions that enable the business to grow stronger while still protecting critical assets.
And finally, it’s important to consider your external communications and relationships – because these have a significant impact on your business as well. Many recent breaches in the news have been remarkable in part because of the terrible external response. Speed matters, transparency matters, so reach out to customers in a matter of minutes and days not months and weeks. The faster you can react and contain the situation, the better you’ll protect the business.
A good plan today is better than a perfect plan tomorrow
Take a good look at your incident response plan. And if you don’t have one already, make that your first priority. Develop and socialize a documented policy and procedure that is shared across the organization, and make sure that your operating procedure maps to the document. Don’t let perfect be the enemy of good, here. It’s important to start somewhere, and build on your experience.
Unfortunately, no one among us is bulletproof, and security incidents will happen. While painful and costly, remember that these are also golden opportunities to review and make adjustments to your security infrastructure, your internal education, and your external communications.