When a data breach occurs, the repercussions have a major impact on your entire enterprise.  Just to name a few of the consequences: you lose customers; business has to be put on hold to restructure and replace decision makers who have to leave; and you have to fix vulnerabilities.  A perfect example of the affects of data breach on business is Target. Not only did they take a financial hit due to customers losing trust, but their CIO resigned and recently, so did their CEO.  What can information security professionals and business executives do to avoid Target’s fate?

The first thing everyone needs to realize is that information security is a C-level corporate issue too. The livelihood of your business depends on how seriously you take your security posture.  Both CEOs and CIOs have some fixing to do.

What CEOs need to know and do to improve security

CEOs need to realize that information security is not only an IT problem; it involves the entire organization. Technology isn’t the only solution to securing data; an effective posture also includes people and process.  They also need to know that their CIOs aren’t always disclosing information. The reasons for this can be fear of job repercussions and loss or because they don’t want to burden the CEO with a false alarm.  Businesses receive security threats on a daily basis and the only way to respond effectively is to set up a holistic data security system to be able and detect threats, as well as mitigate them to diminish damage.

What CIOs need to know and do to improve security

When it comes to CIOs or CISOs, they too need to change their ways.  As shown in the recent Ponemon Institute Data Breach Cost Study, breach costs have risen 15 percent to $3.5 million.  The costs involve expenses related to getting security experts’ help after the fact, investigating the data breach and loss of customers.  Information security professionals must communicate to leadership if more resources are needed to implement the right risk management measures.  They must also speak to the C-suite in non-technical terms. Help them understand the importance of placing policies and procedures, of getting outside help where you know external resources are necessary, tell them the risks that are present within the network and organization as a whole.

CEOs and CIOs need to stop setting unrealistic goals like assuming they can block all attacks with the simple implementation of some security technology and realize that information security needs to become a business process that never stops.  Technology is the first step, and then comes vulnerability scans, business continuity management and continuous monitoring.  Also, knowing when it’s necessary to get outside help because unfortunately, there will always be something you could miss and an external security professional’s experience and tools, plus a fresh set of eyes, can find something you didn’t see (not for lack of trying, just because it happens).

Target waited too long to act. They communicated breach way too late and lost a lot of trust in doing so.  Lastly, they did not get additional help where needed, nor take all the necessary steps that could have prevented the incident from becoming so big.  It’s never too late to change your ways, and hopefully both CEOs and CIOs see this by now.

As the digital world keeps expanding so do your data risks; what are you doing to protect your business and take your information security to the next level?

 

Photo Courtesy of Dirk Ercken