Cybersecurity is a moving target; just because something protected your business last year, does not mean it will keep the company safe this year. A recent government survey into cybersecurity breaches highlighted that while 74 per cent of UK business consider cybersecurity to be a high priority, “a sizable proportion of businesses still do not have basic protections or have not formalised their approaches to cyber security”.
It’s important that the CIO remains one step ahead of threats, and that companies are best equipped to mitigate the effects of any potential attacks.
Ian Pitt, CIO at LogMeIn looks at how CIOs can best protect their businesses, from the initial approach to cybersecurity, to the formation and implementation of a cybersecurity policy, and finally, what the future holds for the CIO and cybersecurity.
Approaching cybersecurity holistically
When it comes to approaching cybersecurity, a CIO needs to be wary of making sweeping announcements, implementing changes, and forever altering the landscape of the company – not always for the better. An organisation can only adopt a productive and successful cyber security program when the culture, budget, risk, scope and the willingness all meet and align. If any of these elements are missing, the CIO will fail to effectively change the security stance of the organisation.
Therefore, early in the CIO’s tenure, they should gain a thorough understanding of what’s currently in place, what’s been done in the past – including both successes and failures, and the organisation’s risk profile and appetite. Security should be critical for all companies, but the approach will inevitably correlate to the risk facing the organisation. Finally, when approaching cybersecurity, it’s crucial that the executives and board are behind the plan. Without support across all arms of the organisation, any policy will struggle to flourish, or deliver the best results.
Adopting a cybersecurity policy
The basis for any cybersecurity policy should be an understanding of behavioural changes in people. A CIO who focuses exclusively on technology to implement a policy will be doomed to failure. It’s important that they take into account the training and readiness of the user population to round out a truly secure environment.
Each element of a policy should build on the foundation that users have a desire to be secure, and that they know what to watch for. The best defences can be easily unwound by a social engineering attack and once the basics are in place (firewalls, password policies, access controls etc.), the CIO can often get an excellent return on making sure the user population is well versed in their role as the first and last lines of a defence.
Once formed, a policy should be implemented collaboratively, with a high level of education and explanation. There are two possible reactions to a sudden change in a company’s security stance: a groundswell of adoption and support, or a catastrophic push back and loss of productivity from the user base. The latter will inevitably occur if users suddenly find they can’t do something, or ‘The Company’ is seen as being subversive or suffocating. In order to achieve the first response, users need to be educated so they understand why changes are necessary, and the policy needs top down support.
A well-formed cybersecurity policy must include commitment from the top; clear, relevant, concise statements on who should be adopting the policies, and why they’ve been implemented; basic hygiene elements; and monitoring and alerting tools that are regularly fine-tuned. It’s critical that policies are regularly reviewed and that employees are kept sharp and continuously trained. Finally, security should be fun, and so a policy should encourage participation in making security pervasive through competitions and humour.
Staying one step ahead
In the ever-changing culture of cybersecurity it can be hard for a CIO to remain one step ahead of threats. However, networking and communication are two of the easiest ways for a CIO to get a foot in the door before the threat hits. By understanding the changes to the business that are planned, and driving them where necessary, the CIO can greatly assist the organisation in adapting to the ever changing threat landscape. In addition, the CIO shouldn’t be afraid at looking outside the organisation for counsel. Peers, and specialist organisations should be regularly consulted to widen the understanding of evolving threats. Adapting policies, processes, and education with that knowledge will greatly assist a successful approach to cybersecurity.
Looking ahead… the future for the CIO and cybersecurity
Looking into a crystal ball doesn’t always work in the world of security, but at a macro level, the CIO can expect a number of changes in the arms race that is cybersecurity. From a technology perspective, machine learning will greatly assist in threat detection and mitigation. One area that many companies struggle with is keeping up with endless flows of information and filtering out false positives to allow security teams to focus on the real threats.
There are a host of early stage vendors that are offering increasingly smarter tools, and once these become established, it’s entirely possible that CIOs will be able to see security environments holistically, reacting in real time to events, rather than being used in a forensic process.
Finally, there will be an ever increasing use of ‘shadow IT’ tools in an organisation. This will be driven by the constant commoditisation of technology, SaaS products introduced without first being vetted by security teams, and mobile devices. Because of this, CIOs will be forced into maintaining very close relationships with the user base, and foster a spirit of collaboration.
What is unlikely to change, regardless of the technology, is the concept that people will always be the first and last lines of defence and this should be at the front of any CIOs mind when they’re approaching cybersecurity.
Ian Pitt, Chief Information Officer, LogMeIn
Image Credit: BeeBright / Shutterstock