Securing your data: a shift across the board
May 2017 | EXPERT BRIEFING | DATA PRIVACY
Protecting what amounts to the lifeblood of a company – its data and its reputation – from both external attacks and operational errors is a staple business requirement. Gone are the days of limited corporate engagement on the topic, or burying heads in the sand hoping that InfoSec threats will simply go away or not materialise.
To ensure this, regulations such as the General Data Protection Regulation (GDPR) and Privacy Shield have been introduced in order to safeguard customer data, pushing data security to the top of the company agenda from both a compliance and legal perspective. Today, data security is receiving the attention it should in many forward-thinking companies.
So, who looks after the data in your organisation and makes sure protection is both effective and compliant? Ask almost any employee and they will likely call out the IT department. In essence this is usually true; IT has long been aware of the importance of keeping corporate data secure. However, more often than not today, the buck ultimately stops with the chief information security officer (CISO) or chief security officer (CSO). In 2017, information security must be a strategic business consideration and it is definitely something worthy of dedicated C-level attention.
Looking back several years, cyber security, while important, was rarely on the boardroom agenda. It was considered far more of a localised issue, the responsibility of the IT department – and something that would be autonomously managed. While digital processes still existed within business at this time, ‘digital transformation’ to the cloud was still a pipedream, and companies relied on internally supported hardware and software for their day-to-day operations. Cloud adoption, meanwhile, was far less prevalent and the majority of sensitive corporate and customer information was stored on company premises.
In 2007, breaches were not a publicly accepted normal part of the mainstream news. When a breach did occur with a large company, it was met with shock and awe. Today, with the acceptance of digital lifestyles, breaches can have catastrophic effects. It is risk acceptance for the richly connected and digitally intertwined world we benefit from. Think about all the systems and services on which we rely.
Imagine for example, a successful large-scale ransomware attack on a financial service company – its organisation (as well as associated customers’ organisations) could all be seriously disrupted, some suffering catastrophic and potentially business-destroying effects. But, just 10 or 15 years ago, ‘data security experience’ was just a box to be checked on the application form of the chief information officer (CIO) and nothing more. It was just one of many issues a CIO was tasked with handling, but it was often small fry compared to IT resource management, technical infrastructure, budgeting, internal operations and most importantly, system ‘uptime’.
Introducing the CISO
As digital transformation has expanded to encompass all industries and sectors, technology has become an integral part of everyday business. Further, digital processes and applications have evolved beyond internal data storage and communication. For many companies, both interactions with customers and transactions take place almost solely across digital platforms, with services delivered to handheld devices. But while technology has huge benefits to offer the enterprise, an increased reliance on digital has resulted in an increased attack surface for online threats.
Subsequently, cyber security has become an issue which requires the attention of a dedicated member of the c-suite. Enter the CISO or the CSO. Their role is to protect the crown jewels, focus board members’ attention on relevant security threats, and even more importantly, present a prioritised plan of action for dealing with them. The idea is to make sure that the information presented to the board is easily digestible. Information should be free from technical jargon, and concepts should be broken down using business terms and analogies that are easy to understand.
The role of the CISO also serves a dual function of providing additional risk mitigation for the enterprise, and freeing up the CIO to focus on wider strategic and operational requirements – basically getting back to their ‘traditional’ job of streamlining operational processes through technology, looking after budgets, and being the main point of contact for the IT team.
However, this separation of roles does not come without associated challenges. Dividing cyber security and ‘traditional IT’ roles in this way has the potential to cause internal conflict. For instance, what happens if the CIO wants to implement a particular solution that the CISO deems to be a high risk from a security perspective? It is cases such as these where CIOs and CISOs strengthen their partnerships and navigate a path forward.
Unification, not division
While the hierarchy of the CIO and CISO remains fairly ambiguous in the short term, and can certainly vary between organisations, it has traditionally been commonplace for the CISO to report to the CIO.
However, the reporting structure is rapidly changing, wherein today the CISO is a peer of the CIO. The significance of data security has stretched far beyond the confines of the IT department and has now become a business-wide concern. Many business units have infrastructure and data that is not managed by IT organisations. In particular, the explosion of cloud computing means that company data is no longer stored exclusively within the confines of the data centre, but carried on employees’ endpoint devices such as laptops and tablets, and often in third-party cloud storage solutions. And the prevalence of the bring your own device (BYOD) culture in enterprise has led to an unprecedented rise in shadow IT – people using unauthorised tools, often cloud based, to complete tasks more efficiently.
Given that information security is now an interdepartmental issue, coupled with the severe financial and reputational consequences of a data breach, it is imperative that the CISO has the final say in terms of overarching security strategy for the enterprise, and a say on certain infrastructure and software solutions which, from a security standpoint, may have traditionally been handled by a CIO. That said, the CISO role should not just be devolved to policing the use of software and saying ‘no’ to people. The CISO should be finding ways to empower the business, not slow it down.
For the best business results, a CISO should work alongside the CIO, c-suite and business verticals such as product development, operations and other employees to provide them with the tools they need and a secure environment in which to use them. The best way to achieve this is to implement solutions that allow for data monitoring, visibility and recovery, regardless of where in the business it resides – either on site, in the cloud or on an employee’s laptop.
Rick Orloff is the chief security officer at Code42.
© Financier Worldwide