From data leakage to risk management, five key areas that CISOs must deal with as they create an information security strategy for the business
From data leakage to risk management, five key areas that CISOs must deal with as they create an information security strategy for the business. From malicious individuals aiming to expose your organisation’s information, to senior executives who demand the CISO must work with limited funds to close every potential avenue to exposure, the role of protecting company assets has never been so challenging.
Maintaining an effective balance between risk and innovation is a tough challenge for the IT leader, especially in a modern, cost-conscious environment, where the individual spend of consumer technology is increasing at a faster rate than the CIO’s technology budget.
CISOs looking to create a security strategy for the business must address five key areas - data leakage, consumerisation, cloud computing, compliance and risk - and demonstrate how the IT leader really holds the key to information integrity in the digital age.
What can you do?
Cloud is coming but you cannot take its evolution in the enterprise for granted. Independent research organisation Ponemon Institute suggests more than half of United States organisations are alreadyadopting cloud services, but only 47% believe on-demand services are evaluatedfor security prior to deployment. Worse still, the cloud is often being introduced beneath the radar and without the watchful eye of the CISO. Ponemon reports 50% of US IT professionals believe their organisation is unaware of all the cloud services currently deployed in the enterprise and such neglect raises the spectre of potential security risks. The traditional security policy that concentrates on defence in depth will no longer translate to cloud computing. The CISO will be held accountable for security breaches and will need to ensure security is adequately addressed at the start of every business initiative.
Security measures must be implemented in a controlled, yet timely manner, and should result in the establishment of a common risk language across the organisation.
Did you know?
Over half of financial servicesCIOs spend 30% or more of their IT change budget on regulatory compliance, according to research from consultant Xantus.
What can you do?
The ever-increasing regulatory burden is not just confined to financial CIOs and is a challenge common to IT leaders across all sectors. Research from security association ISACA suggests as much as 95% of IT professionals within major organisations consider governance to be important. Key initiatives include Payment Card Industry standards, with analyst Gartner estimating that PCI compliance costs organisation an average of $1.7m across a two-year survey period. Mobile and cloud computing create further governance headaches for CIOs charged with compliance management.
IT leaders must ensure the regulatory burden is fully understood. While ISACA research suggests as much as 70% of heads of IT are also a member of the senior management team, that still means almost a third of CIOs are not in a position to influence security spending decisions at the board room table.
Did you know?
As much as 26% of Britain’s mid-size technology companies are highly exposed to the risk presented by cyber crime according to research from insurance company Zurich.
What can you do?
A thorough understanding of risk is set to rise in prominence on the CIO agenda. Researcher IDC reports financial firms currently spend in the region of $56bn on risk technology, a figure set to rise by 7% through 2015, driven by the increased need for compliance and a demand from the business for deeper analytical information.
CISOs aiming to deal with risk must find a careful balance between utility and innovation, while dealing with disjointed data legislation around the world and the risk of greater disruption to operations caused by infrastructure failures. CISOs must also help to drive cost savings and efficiencies within the organisation at the same time as they encounter a number of targeted threats to their organisations, such as acts of economic espionage and the work of disgruntled employees.
Rather than talking in technical terms, IT leaders must explain how failing to address a concern will lead to specific risks to the business and this explanation must be able to be related to key business performance indicators.
The CISO must use risk to implement innovative IT solutions that secure the business and should be fully prepared to advise the business on the cost of not implementing such solutions.
The Open Security Foundation reports there have been 369 total security incidents this year, affecting as many as 126,749,634 records