CEOs and CIOs are well aware of the need to secure their data if they wish to stay in business; yet most enterprises are still having trouble staying ahead of attackers (just read the Verizon DBIR). What executives and security professionals need to do is take a deeper look into how they’re treating information security within their business structure as a whole.
It starts with the top three components of a holistic data security approach (people, processes and technologies) and moves to include at least three more areas that affect your business environment’s risks: security culture, awareness and training, and teamwork.
Your enterprise’s information security culture
- What’s the culture of your organization when it comes to data protection? What does your company hold as most important when faced with risk management challenges? Can CIOs take action immediately if a risk is detected or is it kept hush, hush?
If a business has a policy of “don’t bring me bad news” this will cause a major set back to the security of your business. IT leaders and employees alike must be able to communicate threats without fear of negative repercussions. On the other hand, CEOs must question if they are being informed of potential network risks and should look into getting an external security expert’s opinion; just in case their CIO is in fear of losing their job and not informing them of potential threats.
Employee security awareness and training
- Are employees informed of the importance of security? Are they encouraged to come forward when there are unmet security needs? Can they recognize a security threat or have you not taken the time to provide the proper training? Is there transparency among employees on matters of data theft and mismanagement?
A recent study showed that a third of employees would rather contract the flu than tell their boss about losing an unprotected device. Although the percentage seems low, this is not good (all it takes is one vulnerability and your data is gone). CEOs and security leaders need to have the full team onboard if they’re going to beat the enemy. Training and awareness on security measures and actions need to take priority.
Security teamwork in all departments
- How big is your business on collaboration and teamwork? Are there mini-groups with a group head that understands a little bit more about security and protecting data in a virtual environment? Someone that brainstorms solutions or is prepared to answer and redirect security questions when needed?
An emphasis on data protection support and an assigned go to person for security problems (as they arise) will encourage people to raise their hands if they need help; as well as give them someone (who works closely with them) to go to if they spot a potential problem.
We’ve all heard about the Target breach repercussions and how the company had the warning signs, but didn’t take action. We also just faced a recent unexpected threat, the Heartbleed bug, which companies are still working on to ensure no further damage can take place from the vulnerability. Furthermore, everyone knows it won’t be the end of major breach incidents or new risks. By exploring the major areas of your business structure as a whole and how information security is integrated within it, you can be prepared for these future data threats.
How does information security fit within your business structure and what areas present challenges to your effective risk management?
Photo Courtesy of Maksim Kabakou