IT leaders are responsible for keeping their organisation’s digital and information assets safe and secure. It should go without saying that protecting employees and client data should be a top priority for CIOs and CISOs.
How security threats are managed will have an impact on everything from operations to reputation, and no one wants to be in a situation where no security plan is in place.
If your business still doesn’t have a security plan drafted, here are some tips to create an effective one. If you already have one – you are definitely on the right track. However, don’t rest on your laurels: periodic assessment, reviewing and stress testing is indispensable if you want to keep it efficient.
Assess the current state of the security environment
It might sound obvious but you would be surprised to know how many CISOs and CIOs start implementing a security plan without reviewing the policies that are already in place.
It’s important to assess previous security strategies, their (un)effectiveness and the reasons why they were dropped. Was it a problem of implementation, lack of resources or maybe management negligence?
Once you have reviewed former security strategies it is time to assess the current state of the security environment.
Has it been maintained or are you facing an unattended system which needs basic infrastructure work? Are there any protocols already in place? How security-aware are your staff and colleagues?
Use risk registers, timelines, Gantt charts or any other documents that can help you set milestones, track your progress, keep accurate records and help towards evaluation.
A master sheet is always more effective than hundreds of documents all over the place and helps in keeping updates centralised.
Network management, and particularly network monitoring, helps spotting slow or failing components that might jeopardise your system.
A network must be able to collect, process and present data with information being analysed on the current status and performance on the devices connected.
If a detection system suspects a potential breach it can send an email alert based on the type of activity it has identified. Configuration is key here: perimeter response can be notorious for generating false positives.
Antivirus software can monitor traffic and detect signs of malicious activity. These tools look for specific patterns such as byte sequences in network traffic or multiple login attempts.
Five of the top network monitoring products on the market, according to users in the IT Central Station community, are CA Unified Infrastructure Management, SevOne, Microsoft System Center Operations Manager (SCOM), SolarWinds Network Performance Monitor (NPM), and CA Spectrum.
Collaborate with colleagues and stakeholders
Although it’s your skills and experience that have landed you into the CISO or CIO job, be open to suggestions and ideas from junior staff or customers – they might have noticed something you haven’t or be able to contribute with fresh ideas.
CISOs and CIOs are in high demand and your diary will barely have any gaps left. Build a close-knit team to back you and implement the security changes you want to see in your organisation.
Make use of the different skills your colleagues have and support them with training.
Talent can come from all types of backgrounds. Successful projects are practically always the result of effective team work where collaboration and communication are key factors.
Set security measures and controls
Once you have determined all the risks and vulnerabilities that can affect your security infrastructure, it’s time to look for the best solutions to contain them.
Prevention, detection and response are the three golden words that should have a prominent position in your plan.
In the case of a cyber attack, CISOs and CIOs need to have an effective response strategy in place.
It should explain what to do, who to contact and how to prevent this from happening in the future. Keep good records and review them frequently.
CIOs are responsible for keeping the data of employees, customers, and users safe and secure. Familiarise yourself with relevant data protection legislation and go beyond it – there are hefty penalties in place for failing to go to meet best practices in the event that a breach does occur.
While meeting the basic criteria will keep you compliant, going the extra mile will have the added benefit of enhancing your reputation and integrity among clients and colleagues. And again, if a breach does take place – at least you will be able to point to the robust prevention mechanisms that you have put in place.
As we suggested above, use spreadsheets or trackers that can help you with the recording of your security controls.
Make them live documents that are easy to update, while always keeping records of past actions: don’t rewrite, archive.
Ensure end-to-end security at every level of your organisation and within every single department. Protect files (digital and physical) from unauthorised access.
Create a data map which can help locating where and how files are stored, who has access to them and for how long they need to be kept.
You might have been hoarding job applications for the past 10 years but do you really need them – and is it legal to do so?
In a mobile world where all of us access work email from our smartphones or tablets, setting ‘bring your own device’ policies is just as important as any others regulating your office activity.
Depending on your sector you might want to focus your security plan on specific points. Whereas banking and financial services need an excellent defence against fraud, internet or ecommerce sites should be particularly careful with DDoS. Of course, a threat can take any shape.
In any case, cybersecurity hygiene and a comprehensive anti-data breach policy is a must for all sectors.
Create a dynamic security culture
This is probably the most important step in your security plan as, after all, what’s the point of having the greatest strategy and all available resources if your team if it’s not part of the picture?
As a CISO or CIO, it’s your duty to carry the security banner and make sure that everyone in your organisation is well informed about it. Security starts with every single one of your employees – most data breaches and cybersecurity threats are the result of human error or neglect.
Make training available for all staff, organise refresh session, produce infographics and resources, and send regular emails with updates and reminders. There are options available for testing the security nous of your staff, too, such as fake phishing emails that will provide alerts if opened.
Whereas you should be watching for hackers not infiltrating your system, a member of staff plugging a USB device found on the car park is equally harmful.
Use your imagination: an original poster might be more effective than hours of Death By Powerpoint Training.
Emphasise the fact that security is everyone’s responsibility and that carelessness can have devastating consequences, not only economical but also in terms of your business reputation. Data breaches are not fun and can affect millions of people.
Securing the business and educating employees has been cited by several companies as a concern.
Faisal Yahya, Head of IT, Cybersecurity and Insurance Enterprise Architect, for PT IBS Insurance Broking Services and experienced CIO and CISO, is an ardent advocate for cybersecurity training and initiatives.
“The financial impact of cyberattacks for the insurance industry can only be mitigated by promoting initiatives within companies and implementing the best standard mitigation strategies for customers,” he told CIO ASEAN at the time.
Awareness is the key!
Red Hat says that to take full advantage of the agility and responsiveness of a DevOps approach, IT security must also play an integrated role in the full cycle of your apps – after all, DevOps isn’t just about development and operations teams.
DevSecOps gets developers to think more about security principles and standards as well as giving them further ownership in deploying and monitoring their applications. It can also build security testing into your development process by making use of tools that can automate processes where possible.
DevSecOps implies thinking about application and infrastructure security from the start. According to the IBM-owned open source giant, it also means automating some security gates to keep the DevOps workflow from slowing down.
Selecting the right tools to continuously integrate security can help meet your security goals, but effective DevOps security requires more than new tools – it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.
Review your budget
Yes, unsurprisingly money is a determining factor at the time of implementing your security plan.
Whereas changing passwords or encrypting documents are free, investing in adequate hardware or switching IT support can affect your budget significantly.
Computer security software (e.g. anti-spyware, intrusion prevention system or anti-tamper software) are sometimes effective tools that you might need to consider at the time of drafting your budget.
Prioritise: while antivirus software or firewalls are essential to every single organisation that uses a computer, security information management (SIM) might not be relevant for a small retail business.
Be realistic about what you can afford. After all, you don’t need a huge budget to have a successful security plan. Invest in knowledge and skills.
Transparency is another crucial asset and it helps towards building trust among your peers and stakeholders.
Collaborating with shareholders, CISOs, CIOs and business executives from other departments can help put a secure plan in place while also meeting the security standards of the company as a whole.
And if the worst comes to worst and you face a data breach or cyberattack while on duty, remember that transparency can never backfire – at least that’s what Ian Yip, Chief Technology Officer, APAC, of McAfee strongly advises:
“The top thing to be aware of, or to stick to, is to be transparent,” Yip told CIO ASEAN. “If you look at it historically, the best ways to handle incidents is the more transparent you are the more you are able to maintain a level of trust. Obviously, every time there’s an incident, trust in your organisation goes down. But the most transparent and communicative organisations tend to reduce the financial impact of that incident.”