Believe it or not, today marks the last week in October’s National Cyber Security Awareness Month (NCSAM). We hope you’ve not only learned a few things about staying safe online, but taken action to make better security choices at home and at work.
The NCSAM theme for week 5 is “Critical Infrastructure From Cyber Threats” so we thought we’d share some insights from our CIO, Ian Pitt, on how CIOs can best protect their businesses, from the initial approach to cyber security, to the formation and implementation of a cyber security policy, and finally, what the future holds for the CIO and cyber security.
Approaching cyber security holistically
When it comes to approaching cybersecurity, a CIO needs to be wary of making sweeping announcements, implementing changes, and forever altering the landscape of the company, as those changes are not always for the better. An organization can only adopt a productive and successful cyber security program when the culture, budget, risk, scope and the willingness all meet and align. If any of these elements are missing, the CIO will fail to effectively change the security stance of the organization.
Therefore, early in the CIO’s tenure, they should gain a thorough understanding of what’s currently in place, what’s been done in the past – including both successes and failures, and the organization’s risk profile and appetite. Security should be critical for all companies, but the approach will inevitably correlate to the risk facing the organization. Finally, it’s crucial that the executives and board are behind the plan. Without support across all arms of the organization, any policy will struggle to flourish, or deliver the best results.
Adopting a cyber security policy
The basis for any cyber security policy should be an understanding of behavioral changes in people. A CIO who focuses exclusively on technology to implement a policy will be doomed for failure. It’s important that they take into account the training and readiness of the user population to round out a truly secure environment.
Each element of a policy should build on the foundation that users have a desire to be secure, and that they know what to watch for. The best defenses can be easily unwound by a social engineering attack and once the basics are in place (firewalls, password policies, access controls, etc), the CIO can often get an excellent return on making sure the user population is well versed in their role as the first and last lines of a defense.
Once formed, a policy should be implemented collaboratively, with a high level of education and explanation. There are two possible reactions to a sudden change in a company’s security stance: a groundswell of adoption and support, or a catastrophic push back and loss of productivity from the user base. The latter will inevitably occur if users suddenly find they can’t do something, or ‘The Company’ is seen as being subversive or suffocating. In order to achieve the first response, users need to be educated so they understand why changes are necessary, and the policy needs top down support.
A well-formed cyber security policy must include a cohesive plan that is laid out by management; clear, relevant, concise statements on who should be adopting the policies, and why they’ve been implemented; basic hygiene elements; and monitoring and alerting tools that are regularly fine-tuned. It’s critical that policies are regularly reviewed and that employees are kept sharp and continuously trained.
Staying one step ahead
In the ever-changing culture of cyber security, it can be hard for a CIO to remain one step ahead of threats. However, networking and communication are two of the easiest ways for a CIO to get a foot in the door before the threat hits. By understanding the changes to the business that are planned, and driving them where necessary, the CIO can greatly assist the organization in adapting to the ever-changing threat landscape. In addition, the CIO shouldn’t be afraid at looking outside the organization for counsel. Peers, and specialist organizations should be regularly consulted to widen the understanding of evolving threats. Adapting policies, processes, and education with that knowledge will greatly assist a successful approach to cyber security.
Looking ahead… the future for the CIO and cyber security
Looking into a crystal ball doesn’t always work in the world of security, but at a macro level, the CIO can expect a number of changes in the arms race that is cyber security. From a technology perspective, machine learning will greatly assist in threat detection and mitigation. One area that many companies struggle with is keeping up with endless flows of information and filtering out false positives to allow security teams to focus on the real threats. Also, there is an ever-increasing use of ‘shadow IT’ tools in an organization. This will be driven by the constant commoditization of technology, SaaS products, introduced without first being vetted by security teams, and mobile devices. Because of this, CIOs will be forced into maintaining very close relationships with the user base, and foster a spirit of collaboration.
What is unlikely to change, regardless of the technology, is the concept that people will always be the first and last lines of defense and this should be at the front of any CIOs mind when they’re approaching cyber security.
Ian Pitt is the Chief Information Officer at LogMeIn responsible for Cyber Security, Governance, Corporate IT and Business Systems for the global company.