IT security is a matter of accountability

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://net-security.org/article.php?id=2114&p=1

For today’s CEO, being the victim of criminal hackers is no longer just a
source of embarrassment. Being hacked often carries legal ramifications and
can even cost you your job. We live in the age of transparency, where ‘mega
breaches’ and data theft from an organization are increasingly hard to keep
from the customer. It has never been more challenging for a CEO who must
accept responsibility for IT security incidents, thoroughly assess the
risks and remain vigilant to potential threats.

Accepting responsibility

The CEO has always had responsibility for the overall growth and health of
his or her organization. Bottom-line issues such as manufacturing and
marketing, for example, were traditionally within their remit. However, in
the digital age security has become a fundamental bottom-line issue.
Invariably, the cost of investing in adequate IT security measures is lower
than the cost of recovering from a breach.

Good data protection practices should be at the heart of important
organizational goals such as compliance and reputation. At the end of the
day, the market will punish a company that loses the trust and business of
its customers.

Assess the risks

A thorough risk assessment of an organization should be a top priority. A
good CEO would look at external risks – eg those of competitors, new
entrants, market forces; and internal risks, eg finances, and human
resources. IT and security should now be a priority in this latter bracket.

> From an IT perspective, it is crucial to know where you are vulnerable,
both inside and outside your firewall. You may not have complete visibility
over what applications your customers are accessing, but this can be
solved. Vulnerability and risk assessments, as well as penetration testing
by trusted third-party firms are now just as important as the quality of
your product or service.

Putting software and hardware to one side, one of the greatest potential
threats inside the corporate firewall is that of the disgruntled employee.
Many high profile breaches include some element of internal, malicious or
careless activity carried out by employees or contractors who work for the
company. How can C-level executives know how social media channels are
being used by employees to liaise with customers? This lies at the
intersection between technology and people management, both of which the
CEO must take a role in.

The rise of BYOD and mobile working also presents significant cyber
security risks. With more and more employees accessing corporate data
through tablets and smartphones, these devices and apps especially are ripe
for compromise, providing hackers with more ways in to steal private
company information such as passwords and files.

Bolstering background checks and personnel security is a wise decision.
But, CEOs may also want to rethink data access policies. Specifically,
policies that define who in your organization has access to corporate and
customer data, should be evaluated. In the digital age, now is the perfect
time to separate these two data classes, providing only the most trusted
employees access to customer data on an as-need basis. These access
restrictions should then be applied across the board.

Nurturing support

You are only as good as the people you have around you. In order for CEOs
to truly prioritise IT security as a business issue, having a dynamic and
innovative supporting CIO is necessary. A CIO who is willing to collaborate
with the top executives and invest in the right technologies that will
protect an organization from hackers, can accelerate business growth. CEOs
should look to employ CIOs who can move fast and anticipate cyber threats.

In the world of IT security, hackers are continually looking for new ways
to compromise new and old systems alike. CEOs and not just CIOs must remain
vigilant and react swiftly to potential threats and serious breaches. CEOs
and the board should develop cyber security strategies that focus on what
matters to their business, and the risks that are associated with that.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!