Due to a continuously changing threat landscape security executives can’t take a passive approach to their organization’s risk management program. New technology tools and skills to protect valuable data are two things they can’t do without. But what else can security executives do to further protect their network and enterprise data as 2014 comes to an end and 2015 sets in?
- Prepare for breach incidents by simplifying and thinking innovatively when it comes to technology and process. Security executives can make it easier on the board and the IT team to implement necessary measure through effective communication. CIOs are the experts when it comes to understanding breach and security lingo; make it accessible to key business members by breaking it down in such a way that they can really understand what they need to do.
- Stop sticking to old ways. Hackers are finding new ways to get into your network and as long as you stick to a rulebook type strategy, you’re never going to get ahead of your risks. Compliance is only one piece to the puzzle, be creative and leverage the data you have to implement new detection and alert mechanisms.
- Learn to think outside of the box and if you can’t, ask for help. You know if your organization doesn’t have the necessary security resources to be effective in managing risks. If your security “Why” is in the right place, you will do whatever it takes to ensure your organization and data are secure from threats.
- Stay on top of your contractors’ security posture. Do you know if they’re taking all the steps to implement a holistic risk management program? Have they had an audit or assessment that confirms their network and facility have the physical and environmental controls needed to spot vulnerabilities and threats? Do they conduct third party audits or is it all done in-house? Do they implement continuous monitoring? Prepare a list of security related questions to vet your business partners.
- Educate everyone in your organization on best security practices. Train them on how to spot a phishing email, share with them what they need to do to secure their mobile devices, and inform them of what steps to take if they suspect compromise. Set up a training session once a month or give staff an easy way to find that information, as well as a practical way to reach out and ask for help with security related matters. The more you include everyone in your organization’s risk management process (in addition to setting up policies and procedures), the more likely it is you can diminish insider threat caused by staff not knowing any better.
By taking these steps you can ensure you’re doing your best to secure your organization’s environment and sensitive data for the new year. It is obvious that things need to change if businesses are going to stay ahead of threats. It is also quite evident that enterprise data holds an enormous value; Sony’s breach is a perfect example.
As a security executive you are well aware of the risks your enterprise will face. Help your board of directors to realize this too and involve the rest of your organization’s people in the security process. After all, security involves people, process and technology; you can’t be successful without all three.
What other risk management measures are you taking to secure your facility and data for 2015?
Photo courtesy of Ribah