Recently CSO Online produced its annual State of the CSO report, which surveyed 366 security professionals online in August and September 2014. Some of the major findings include the concern about high-profile data breaches and how it’s forcing security executives to reevaluate their information security standards. They are also spending more time advising senior executives on security-related matters.
Among the organizations surveyed, external cyber threats were common security-related challenges anticipated for the coming year. Some 37% of the organizations say they expect to face those challenges. While external threats make the headlines, many are paying more attention to internal threats with the potential damage that a malicious insider may pose.
“We are paying a little more attention to monitoring internal activity in our network,” says Brian Joyce, director of IT/security at public accounting and business advisory firm Joseph Decosimo and Co. “Previously we have been more focused on what was coming in. Now, [we’re] equally focused on what is going out as well, [and] more focused on data loss prevention and our ability to respond to control potential damage.”
Many of the organizations surveyed use a formal Enterprise Risk Management (ERM) process that assesses multiple types of risk, not just information and physical security. The process covers a variety of disciplines, including information security, business continuity/disaster recovery, executive management, financial risk/insurance, physical/corporate security, general counsel/legal and human resources. It’s not just the job of the CSO and CISO to mitigate risk when it’s comes to data breaches, but other officers and executives.
One area that’s drawing a lot of attention is dealing with the consequences of a data breach and how to minimize the risk and damage it can cause. Some organization’s feel they need perfect information before they can act, but this is unrealistic. If you experience a breach, you need to manage the incident immediately. You need to make the best decisions you can based on the information at hand. This should include following processes and procedures that have been already formulated and tested.
Your plans should include the best technology to prevent a data breach from happening. The first step in protecting your most sensitive information is identifying it. Most organizations can quickly identify its most critical business information and who really needs access to it. From there it’s a matter of putting processes and technology in place that protect the information. Waiting until you classify all your data is not prudent, since most organizations are at risk now.
This can vary by industry, but is most relevant for any organization with intellectual property, customer information and anything that is subject to regulatory oversight. Healthcare and financial services tend to be at the high end of the risk curve.
The threat landscape is constantly evolving and organizations need to incorporate every level of the business in mitigating risk. You need to take a holistic approach to risk, but can’t afford to wait until you have perfect information. Look at what’s at risk today and plug your most obvious leaks.
Photo credit Gideon