Today’s CIO has a lot more headaches when it comes to maintaining an effective security posture across the enterprise. It’s not only because of the move to everything digital, but it’s also because of the way the enterprise works.  Instead of adapting to new ways, they are stuck in the old.

 

CISOs continue finding themselves limited in the budget they have at their disposal to manage security risks.  It is not enough to give resources for technology defenses since effective security entails much more.  Security leaders within an enterprise know this; it’s the higher up who are having a hard time understanding this.

 

When you have CISOs trying to secure the enterprise without being able to voice the need for an external security audit of the network or who are spending most of their time checking application flaws, there’s a huge problem with finding vulnerabilities across the enterprise as a whole.

 

  • A recent Black Hat survey found that more than a third of IT professionals spend their time addressing vulnerabilities introduced by internally developed software and vulnerabilities introduced by off-the-shelf software.

 

In addition to not communicating on data security, the old habit of business leaders staying out of touch on such matters is also a trend that continues.  Studies show that only a minority of security pros find board members actively engaged in cybersecurity issues.  Also, the role of the CISO in the executive team continues to face challenges.  The CISO is still not taken seriously as a business leader.  Part of the problem is the techy nature of the CISO and the trouble they have in communicating in the business language.

 

Training programs have been created to attempt overcoming this gap, but even in the absence of such a program it is possible for CISOs, CIOs and business executives to coordinate on information security.  If a company works towards growth they should have an existing unified culture; one that includes all members and all matters important to the survival of the enterprise.

 

The fact that CIOs and CEOs are finding themselves out of a job following a breach may help to push leadership to come to terms with the existing bad habits.  Information security is meant to help a business grow, it can lead to closing contracts and generating new business due to the safety organizations can ensure future business partners.  In addition to growth, let’s not forget how essential it is to avoid business disruption due to loss of data and loss of trust by clients.

 

Whether organizations care to admit to it or not, information security is already part of the business process; the difference is realizing this so that the appropriate steps can be taken to make sure it’s a process that gets seen and followed by the expertise necessary.  As long as all the pieces to risk management are left to their own defenses, this means hackers are more likely to have eyes on your network and data than you do.

 

How do you plan on changing your ways to ensure the security of your business and data assets?

 

Photo courtesy of Maksim Kabakou