In 2014 the cost of breach increased by 15 percent and in 2015 it had increased by 23 percent. This means we can expect it to increase some more in 2016. In addition to costs, organizations face multiple threats that go beyond breach; and with Gartner’s expectations of 5.5 million new devices being connected to the Internet of Things (IoT) every day by 2016, security executives have a lot on their plate. What can they do to manage risks effectively and keep their security posture up to par? Some helpful tips on what to do and what to avoid doing is a good place to start.
Shift focus from 100% security to proactive security
Although it’s appealing to set a goal that aims for 100 percent protection against cyberattacks, it’s an unrealistic goal due to the ever-changing nature of the cyber world. Also, thinking that you have obtained an impenetrable security posture lowers your guard because it doesn’t promote a proactive approach to continuously monitoring your network and potential app vulnerabilities. You gain a false sense of security that will come back to bite you the same way it has other organizations who at one point thought they had an unbeatable security.
- CIO Tip 1: Aim for proactive security by implementing continuous monitoring of your network and overall organization infrastructure (including apps and devices used, as well as the physical security measures in place or not in place).
Accept that there are no shortcuts to holistic security
The CIO’s limited budget isn’t a novelty; neither is the fact that this strain is part of the problem for organizations not being able to obtain an effective overall risk management posture. Everyone gets it, business executives and the C-Suite don’t see the ROI behind security or not to the extent needed; but it’s also the CIO who tries to make the boss happy. It is time for the CIO to inform the higher up that investing in the latest security technology and tools to avoid allocating some of the company’s budget towards risk management consultants or additional cybersecurity skilled employees won’t cut it.
- CIO Tip 2: Holistic security involves so much more than technology and security tools; you know it and it is time you make it clear to those in charge.
Keep your incident response plan in the forefront
A Ponemon Institute study in 2015 showed that 81 percent of companies had an incident response plan, but that only 34 percent believed the plan to be effective. That’s not a lot of confidence in something that took so much time to prepare and that is supposed to help you recuperate from a breach, as well as lower your costs following a security incident. What’s the point of having a breach response plan if you’re not confident it’s going to work and why do you even have a plan that you don’t trust will be effective?
- CIO Tip 3: Invest time and effort into your incident response plan. Get the help you need to test and make sure it works; that you can collect, preserve and analyze the data in a way that stands up in court.
Meeting the C-Suite’s demands, while working on an effective information security posture can’t be easy, but it most certainly isn’t impossible. If a CIO’s ‘InfoSec Why’ is in the right place, figuring out how they can get the executive team to take the right risk management steps is already in the happening. The three tips above help to further the end goal of securing one’s organization from the security risks ahead.
What tips can you share with security executives to help them with risk management in 2016?
Photo courtesy of Maksim Kabakou