One of the most common questions I hear executive leaders ask their IT departments is “are we secure?” Almost 25 years ago I had that same question asked of me when I held the position of CIO (Chief Information Officer) for a privately held manufacturing firm. Back then my answer was, “Yes, we are secure. We have firewalls and we changed the default passwords. We have backup tapes that we regularly take offsite. We have anti-virus installed and configured to run regular scans. And we have keypad access controls on the doors to the facility.” I provided what I thought then was a knowledgeable, logical, and technically truthful answer; an answer we both accepted. We were confident, incorrectly, that that’s what it meant to be secure.
Fast-forward to 2022 and the answer to that question is unequivocally and undeniably, “no.” No business is secure if it has a connection to or a presence on the internet. And yet executive leaders are still asking the same question to IT personnel and getting the same answer: “Yes, we’re secure.” IT personnel confident in their skills and experience continue to provide a litany of all the technical controls in place. Both IT and executives still believe that it’s the IT department’s job to secure the business and keep the information secure.
Securing information, whether we call it “Information Security” or “Cybersecurity,” is a business risk to be managed.
Executive leaders commonly pay keen attention to business risks such as financial, operational, regulatory, and competitive risk. But when it comes to cyber discussions they often defer to IT.
Cyber risk is just like any other risk to a business. Senior management must identify and convey its risk tolerance, not just to IT but to all employees. Risk tolerance represents the maximum risk that a company is willing to accept. The decisions surrounding whether to avoid, reduce, transfer, and even accept risk must first be made by senior leadership before appropriate controls and processes can be put in place for securing information. And while some IT vendors and IT practitioners may truly be doing an outstanding job of managing the security of the IT network on their own, most times executive leadership hasn’t yet identified how much risk is tolerable before those IT security controls were put in place.
The overall risk management process methodically identifies risks surrounding your business activities which often includes using, storing, managing, and transmitting information. It includes assessing the likelihood of an event occurring. In today’s cyber-threat landscape, it is highly likely that at some point the business and its employees will be a target by cyber attackers to get access to information or vital operational systems.
Part of risk management means understanding how to respond when cyber incidents happen and preparing to be cyber resilient.
Part of managing cybersecurity risk is identifying laws, regulations, and contractual requirements the business may have to comply with. Managing cyber risk is enforcing adherence to overall cyber security programs, industry frameworks and policies and standards. It includes identifying roles and specific responsibilities designated by executive leadership and creating a team of subject-matter-experts.
It requires an all-hands-on deck approach involving culture, education, and guidance to employees on how to handle information.
Organizations that are effective at managing the security of their information have three behaviors setting them apart from others. First, the highest-ranking executive of the firm makes information security governance a priority and enlists the support of information security management experts. Second, they take a risk-management approach to information security incorporating appropriate formal, risk-driven industry frameworks. And third, they govern IT in accordance with clear IT security standards.
Without executive leadership and guidance, employees and IT staff will make their own decisions about securing information; decisions which often increase business risk. Then executive management is surprised to discover just how vulnerable they really are. Unfortunately, they often discover this after a cyber incident occurs – which is too late.
So, the next time you think about asking IT “are we secure?” – instead ask yourself: “As the highest-ranking executive, how much information risk am I willing to tolerate and who should I have in the room to help me identify what controls and processes to have in place?”
Kimberly Pease, CISSP, is director of information security for Miller Kaplan. For more information, visit millerkaplan.com.
