Another year is drawing to a close, and with it come the usual look-back stories at what happened. Once again it wasn’t pretty. The question is what’s a CISO to do about it?
The answer is, cover all the bases while facing the demands of other parts of the organization for business agility. A big job? Well, security and agility aren’t incompatible, but like everything else in an enterprise they have to be reasonably measured with risk.
That brings me to an article I saw this week that outlines seven things CISOs should be taking to making their organizations more secure:
–Understand information assets. I’d make it clearer than that — understand that in addition to product design and intellectual property, all personal information held by the organization is also a target and has to be protected;
–Encrypt all data. Here’s where business units may object, fearing encryption of data at rest as well as in transit may slow down business processes. And small businesses may say it’s impractical. But the risk is too great to do otherwise.
Remember, no company is too small to be attacked: Last week CBC reported that a Calgary wine store had to pay a ransom to get its data back after an attacker infected its database. If you don’t want to or can’t encrypt data, at least have solid backup and recover processes so blackmailers can be ignored.
–Automate security processes where feasible;
–Keep patches up to date. That doesn’t mean everything has to be patched immediately. As an expert I interviewed earlier this year pointed out, patches have to be prioritized.
–Demand top security from third parties the organization does business with. You haven’t forgotten how hackers got into Target, did you?;
–Build security into the organization’s risk model;
–Actions speak louder than perimeter alarms. That means you’ve got to have user behaviour detection software as part of the security toolset.
Do these sound like Security 101? A lot of security pros I spoke to this year said the basics are still not completely carried out by a lot of organizations. That makes them more likely to be breached than others. Layer a regular awareness program, strict password policy and penetration testing on top of this and your organization will better face cyber challenges.