When a new CIO steps into a job, they are often cautious on cybersecurity issues, despite more data breaches.
According to a recent survey by Fuze of 900 CIOs around the world, improving security is the number one priority for executive teams with 57% of CIOs agreeing that their executive teams consider it a priority. In the UK, 24% of CIOs have moved their IT security to the cloud, while 33% are part way through moving their security to the cloud.
Approaching cybersecurity
So when starting a new role, how should a CIO approach cybersecurity? According to Simon Townsend, chief technologist, EMEA at Ivanti, cybersecurity needs to be built into a business from the top down.
"Any new CIO needs to quickly understand how the business views security, as well as the current state of security within the business," he says. "More importantly the new CIO needs to understand how the CEO and exec team view cyber security."
Townsend says that previous breaches, incidents and events should be discussed as soon as possible and any existing and/or outstanding concerns should be raised.
"A CIO should also understand the business and any non-technical threats to the business. For example, who are the competition? Who, or where, could external threats come from? How valuable or sensitive is the data within the network? In short, a new CIO should be in 'assessment mode' for an initial period of time, absorbing all information about both the business and the technology within the business," says Townsend.
Developing a cybersecurity framework
It would be tempting for a new CIO to develop their own cybersecurity framework, but Josh Zelonis, senior analyst at Forrester, doesn't recommend it. He says there are many options that are popular such as ISO, which is an internationally recognized risk management framework and can be used to great success.
"The importance of a risk management framework is in the ability to map your various regulatory requirements to an industry recognised set of controls, and have that be the common language you use throughout your organisation and in discussion with auditors," he says.
Jon Wrennall, CTO at software and services provider Advanced, says there are few organisations that haven't already got a baseline set of policies, procedures and training in place.
"Furthermore, many may have gone through similar programmes in the past. Any new programme must be conscious of the starting point (and those legacy programmes) so as not to reinvent wheels but reinforce rules and change where necessary," he says.
Fleshing out a cybersecurity strategy
One of the challenges for a CIO is ensuring that the investments being made in defences against attack are happening in the right place.
"Companies can benefit by understanding how threat actors are targeting companies in their sector and specific vulnerabilities they are looking to exploit this intelligence can be gleaned from criminal forums," says James Chappell, CTO and co-founder of Digital Shadows. "From this intelligence, prioritise from there and build appropriate defences. At all times firms should put themselves in the minds of a cybercriminal if they were to attack, what would they see, how would they do it, what information would they be looking for (e.g. intellectual property and PII), which of your external suppliers would they target?"
Implementing a strategy
Exonar CEO & founder Adrian Barrett believes that the very starting point of implementing a security strategy is to understand the strategic goals of the organisation and write a strategy that supports its commercial goals.
"There's no other option for this, otherwise the security function and its policies and goals will be irrelevant and therefore ignored even by the senior people in the organisation. If you cannot persuade the Board that security is relevant and easy then no one else will care either so don't waste time persuading, just make it relevant," he says.
Wrennall says that all security strategies have the same core attributes addressing confidentiality, integrity and availability but the level of mitigation and approach to implementation will vary depending on the nature of the business and risk.
"A security risk assessment (be it an RMADS or equivalent) will help prioritise the areas of focus. It will enable the CIO to prioritise implementation of the mitigating actions necessary to lower the risk to an acceptable level," he says.
Many businesses are increasingly (but not always) storing their IP online, be it bank/financial records, source code, product designs, or customers' details, according to Wrennall. "It's therefore critical to address all risk vectors that the various overall system actors introduce in their interaction with this way of working."
Education and awareness for all is important when implementing a strategy and should be a crucial part of any employee onboarding process, says Townsend. "The business needs to lead by example and before anything, CEO and executive level awareness, sponsorship and support is key. If the organisation doesn't see cybersecurity as crucial to business, then any new CIO will have an uphill battle."
Forrester's Zelonis says it's essential the CIO engages outside counsel for developing a robust incident response capability. All the mitigation technologies in the world are just a sieve to filter out attacks, he says, not an impermeable defence against them.
"How your organisation performs in a breach situation will be measured publicly. By preparing for failure you have the potential to not only save your own job, but also your bosses'," he explains.
Changes on the horizon
Like it or not, GDPR is going to come into force in 2018 and this will significantly affect how CIOs will deal with cybersecurity issues. Townsend says its introduction and business demands mean that the role of the CIO could become less about technology, and more about playing a diplomatic and political role.
Barrett adds that the regulations are the most significant for a generation. "It normalises expectations of how your organisation needs to secure (amongst other things) data regarding people. If you frame it as a change of ownership of personal data from the collector (your organisation) owning that data, to the data subject now owning it, it will help you frame how it can be used, secured and managed."
WATCH: Learn more about the security threats facing businesses today and how to combat them in this free webinar WATCH NOW
