Four times in the last 36 months I’ve had a company call or send a notice that “due to a security breach…”, my information has been compromised. It frustrating, scary, exasperating, and a general pain in the you know what. Imaging that individual person's reaction from millions of people, or across an entire country's infrastructure, is astounding. Per the U.S. Department of Homeland Security, “Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services.”
With the common understanding that everything online is connected, a CIO's business acumen around Cyber Security is one of the fastest growing conversations happening today. A CIO who can effectively work through and discuss the overall business strategies across systems can ultimately make decisions in the context of everything else the organization wants and needs to do.
I spent an afternoon talking with Bob Merkle, a Cyber Security Risk Management consultant for Business Executives, regarding what he is hearing with his clients. Here are six related items that he hopes a CEO and CIO talk about when discussing the current and future security risk management needs of a company.
1. Give everyone a piece of Risk Management responsibility. Security is not an IT issue – every employee in every department should have Risk Management responsibility embedded into the culture and written into their job description. At the tactical level, here are some simple examples of every-day tasks to highlight this statement. Can an employee easily forward a phishing email to be reviewed? Is the employee thinking about how he/she can securely send this employer-based piece of data to the vendor? Are all the passwords the employee uses at work all the same and tied to personal passwords used at home? Ultimately, the company should send clear and consistently repeated communications emphasizing the Risk Management responsibility.
2. Rethink all Procedures from a Security standpoint. How many procedures does the company have that don’t have a manual check to ensure security? How many processes are 100% automated that don’t have security check controls? Look at all processes – not just the obvious IT ones (e.g., a NW administrator gives notice – is there a way to reduce their access and change ‘shared’ administration processes to ensure security? How is the sales rep giving out the companies Fed Ex account number to the customer sending in a signed contract?) – with an eye towards securing company IP and private data of the company and their customers.
3. Ensure all employees share customer-first thinking. Executives, management, and line workers who think of the customer first (outside-in thinking), question any process or transaction that they don’t understand, or question any potential lack of security through the customers’ eyes (external or internal customers) will be helping the company minimize security risks. Thinking customer first applies not just to security, but for all ideas that ‘maximize the chance for business success.’ Ever hear of the story where a company lost a major contract with UPS because they sent in the paperwork through Fed Ex? The mail room person executing on the task of sending out the paperwork could have prevented it. It’s the same with managing security risk – any individual who takes the time to question what they are doing can prevent a breakdown.
4. Long-term systems process, not a training event. Systems to a business savvy CIO doesn’t just mean technical computer systems, but the computer and people systems throughout the business. CIOs who ensure the yearly class on Security is given to every employee must also ensure that there is an ongoing system in place to keep the Security training top of mind – i.e., they must clearly develop the ‘process’ around the training event. Each company can find a way to make it part of the business….an employee does X every day – are they asking themselves if the task and process around it is ‘safe’? Challenge them to send it examples on what may or may not be safe and should be questioned.
5. Put a strong Quality Control system on the basics. The risk to a business is that they have to be 100% perfect to keep the trust of the customers in their business. To this end, the basics of security need to be completely covered. For example, how often does a company survey all the servers for open ports and who/what may be using the ports? Although security is not absolute, implementing a structured approach to ensure minimal to no risk on the security basics is a fundamental task that all companies should be mastering (as an aside, if you know an example where a Six Sigma approach was specifically implemented for Security risk management, please enter a comment to this article.).
6. Accept it is a short-term cost with long-term ROI. Merkle thinks the idea that Smarter, Faster, Cheaper should be applied to security is downright scary. The facts show time and time again that it takes money to secure customer and company data, hardware, etc. CIOs set this expectation up front by agreeing to security-based Key Performance Indicators (KPIs) that are created and tracked so the CEO can be assured that money is being spent wisely. Ultimately, the ROI is in the long-term ‘prevention’ of a breach that costs companies millions. The Ponemon Institute 2016 Cost of Data Breach Study found that the “all-in” of information lost or stolen averages $221 PER record.
The recent NIST announcement regarding the Baldrige Cybersecurity Initiative has been publicly endorsed by, among others, U.S. Chief Information Officer Tony Scott, who is helping to lead the President’s Cybersecurity National Action Plan. Scott believes that approaches like Baldrige will stimulate improvement to the security challenges and problems organizations face today.
The Baldrige-based Cyber Security self-assessment tool helps CIOs and others better understand the effectiveness of their cybersecurity risk management efforts. (Cyber Security expert? Visit the Baldrige Program website "Phase 1" area for a free download of the new Cybersecurity Excellence Builder and provide feedback online by December 15th, 2016).
Clearly, US industry leaders and company CEOs are taking on Cyber Security as a key leadership issue. CIOs who clearly understand the business ramifications of lowering the company’s security risk have a distinct advantage.