The worries of the CIO and CISO

June 5, 2018

EXECUTIVE SUMMARY:

As cyber threats continue to evolve, the CIO‘s and CISO‘s jobs become more complex, fraught with worries. Their roles are enormous in both work to be done and the weighty responsibility that comes with making sure the organization remains secure in the face of cyberattacks, and compliant in a world of shifting technologies and regulations. But some concerns outrank others.

Recently, The Wall Street Journal talked with CIOs and CISOs about what keeps them up at night. Below are highlights from their findings.

Quantifying the risk. There’s no shortage of information about threats and vulnerabilities. However, the challenge is figuring out how to present the voluminous data in a way that top executives and the board will be able to easily understand. As The Wall Street Journal explains, organizations don’t share the same systems and risks across the board, so it becomes an individual quest to find the right metrics that are relevant.
Liane Pelletier, who has worked with telecommunications providers told The Wall Street Journal that she tracks how much of the company’s software in use is the latest. That’s because it gives her a good indication of how well they’re doing at patching vulnerabilities that could lead to hacks. In addition, she pays attention to detection speeds for significant intrusions and compares them with industry averages provided by Carnegie Mellon University. “Pelletier told The Wall Street Journal, “The most horrifying thing is to find an incident and find it’s been going on for nine months. What a sick feeling in your stomach.”
Managing access. As the business world becomes more mobile and work takes place outside the safety of the perimeter, those tasked with security are looking at how to best secure data and assets. The Wall Street Journal reports, “One approach is a strategy called zero trust, where users are given access to sections of apps or data, rather than entire networks, by going through strict identity-authentication measures. So, for instance, human-resources employees wouldn’t get access to sales data when they log on—as opposed to the system many companies use now, where a single sign-on gives employees access to everything on the network.”
In addition, multi-factor authentication is also being brought into play, relying on biometrics as a form of validation.
Trusting your partners. In today’s cyber world, you’re only as safe as the partners with whom you do business. The Target data breach from several years ago was a wake-up call that it’s not enough to make sure your network is secure, you also have to ensure anyone you do business with has proper protections in place. Referencing an Accenture study, The Wall Street Journal reports, “About 36% of companies don’t apply the same or higher security standards to their partners as they use internally.”
Understanding your enemy. Key to building a solid security infrastructure is knowing who is likely to target you and how you might be targeted. According to The Wall Street Journal, “Knowing who is involved in a cyberattack can help companies understand the breadth of systems affected by an incident, from where the next attack might come or what information attackers are seeking, all factors in providing better security.”
Waiting for government security clearance. Government security clearance is critical for businesses that support a country’s infrastructure. Employees who are granted security clearance are able to access classified cyberthreat information from federal agencies, providing needed insight for securing organizations on which the nation’s infrastructure relies. But the Office of Personnel Management says the timeline has more than doubled in the past few years–due to a data breach on its own agency.
Knowing what to report. When a data breach or cyberattack occurs, businesses are expected by the public and by government to report the incident. How much and what, specifically, can be confounding. The Wall Street Journal reports that the SEC looks for “descriptions of how they determine the severity of security gaps and incidents, and how senior executives and the board communicate about cybersecurity, as well as specifics about how the board handles its oversight of cyber risk.” To keep CISOs and CIOs honest, hiring an auditor who can test the security system and the validity of what technology chiefs say can be a wise approach.
Avoiding financial disincentive. Some businesses have begun to explore the concept of basing executives’ compensation on how well they meet cybersecurity goals, whether prescribed by the organizations they serve or by governing bodies like the National Institute of Standards and Technology.