When an incident occurs, the CIO often becomes the face of the company’s security shortcomings; in other words, the “fall guy”. This can leave CIOs wondering how to better prepare for the next breach, and equally important, how to keep their jobs when the witch hunt begins.
Here are some ideas we’ve gathered from smart CIOs who we’ve supported:
- Proactively Educate The Business
There is a common misperception within many organizations that cybersecurity is IT’s responsibility, but CIOs know that security cannot be achieved by one person. Business leaders often don’t understand the role they must play in protecting the company. Additionally, boards and shareholders often don’t appreciate the complexity of the security challenges faced by the organization. To prevent finger pointing in the aftermath of a security crisis, CIOs should work proactively as advocates of internal collaboration, uniting the organization’s leaders and other stakeholders in a shared understanding of, and accountability for, the company’s security posture, and driving much needed investment in the overall state of security.
- Arm Yourself and Your Company
Although not typically involved in day-to-day security activities, CIOs are accountable for making sure their organizations are prepared to handle current and emerging threats and for optimizing their organizations’ ability to detect and respond to these threats. CIOs must stay informed by arming themselves with information about the types of attacks occurring in the industry, the organization’s capabilities, and the easiest and most likely ways an attacker might gain access to the company’s environment. Additionally, the CIO must understand which assets are most important for the business to protect should an attacker successfully establish a foothold within the environment. Armed with this information, a CIO can greatly reduce the impact of security incidents.
- Put the Organization Through its Paces
Armed with knowledge of an organization’s capabilities, critical assets, the evolving threat landscape, and current industry trends, a CIO can further mitigate risk exposure by defining a strategic plan to tackle inevitable breaches, and testing the preparedness of the company’s incident response capability with tabletop exercises. This type of readiness testing will validate the company’s posture and practical ability to execute collaboratively in times of crisis, and enhance the organization’s capability by educating key stakeholders.
Protecting an organization from cybercrime isn’t easy. You can cross your fingers and hope for the best, or you can get smart about the risks and prepare your entire organization to act together in an emergency. Shared accountability is good for the company, and for a CIO’s career.