Every data breach in the news should be indication enough that cybersecurity must be a high priority for CIOs, and failing employing a CISO the responsibilities for keeping on top of the latest threats and cyber attacks will fall to the CIO.
Figures from the Department for Digital, Culture, Media and Sport found that over 43 percent of businesses suffered a cyber breach or attack in 2017 – and these are the only attacks that have been detected.
Cyber security is a catch-all term for many different layers within an organisation, and it can refer to technology and human processes. Whether it's device endpoints, the network, or simply the level of cyber security awareness at your workplace, a good management team should ensure that all systems adhere to security standards, and members of the team and employees are trained and made aware of risk.
A good cyber security strategy should start at the basics but go well beyond – not necessarily into the overly technical realm for all team members but enough to fortify your organisation from known exploits or simple human error.
As CIOs looking for security staff are likely painfully aware, the demand outpaces the supply in terms of the hiring talent pool.
According to the Global State of Information Security Survey 2018, about 44 percent of respondents say they lack an overall information security strategy in their business. So it's essential that leadership has some good security groundwork in place to better inform buying and training decisions.
It is also essential that corporate boards and business executives participate in reviewing the security and privacy risks – getting genuine support and buy-in from C-suite executives that understand the value of robust security can make all the difference.
Here is our guide to implementing a cyber security strategy for new CIOs.
The security framework
When presenting a security strategy, the CIO is expected to clearly communicate the impact of good (or bad) security for the organisation. The board will want to know all the details and in an easy-to-digest manner so it is a good idea to have this prepared before presenting.
Explain the framework you're proposing, fully, and in layman's terms. Always include a back-up plan, so that if a potential threat does occur you can reassure the board that important data will remain protected and that threats can be isolated to prevent threats from moving laterally through a network.
As mentioned above, the cyber security scope is broad and there are several steps to follow in order to get it right.
After you have made your organisation aware of the framework, you will then need to consider how the technology can be best applied and configured for the in-house infrastructure. It is all well and good getting the latest and greatest technology in – but if it's not configured properly it could still be letting threats through.
Following this, network and cloud security should also be checked to protect against all unauthorised attacks from entering the business network.
Overall, CIOs should follow a set plan when it comes to the cyber security protection of an organisation. Always keep check of all old network connections and keep all data stored safely (with backups).
People and processes
It is particularly important to implement security awareness training (SAT) within your organisation. Without this, not even a fleet of technologies will save the company from a cyber attack.
However, SAT enables staff to understand the issues around IT governance and control solutions. With such training, employees will also be able to recognise concerns and know how and when to respond accordingly.
According to Infosec Institute, 28 percent of all breaches stem from human error and as many as 30 percent of employees are unable to spot a phishing email – all can be avoided with SAT and anti-phishing training.
Investing in SAT also helps to improve companies' security-related risk posture. It will remove instant fear response modes, and instead bring in some level of maturity to staff as they become more aware of how to handle likely threats.
Auditing and penetration testing
Cybersecurity is continuously evolving. While the vast majority of attackers will go for the 'low hanging fruit' of phishing attempts, targeted attacks are becoming ever-more sophisticated. This is why it's vitally important to constantly test your people and infrastructure against attacks.
Hire white hat hacker penetration testers to try to breach your perimeter. If they manage it, learn from it. Frequently audit your organisation – you can run simulated email attacks that will show you if your staff are up to speed and trained not to open suspicious links.
While it's impossible to be sure you'll never be prone to a cyber attack (in fact, the likelihood is you will be attacked, full stop), following these procedures can help you from an additional layer of protection against would-be attackers.