Protecting your digital assets is very much like looking at the whole board. A proper defense is not just one thing, but comprises a systematic construct of what you know (past events, known best practices, proven strategies), what measures you plan on putting in place, and the anticipation of what your adversaries might try to do.  This would be augmented by an endless cascade of if/then planning and dry runs to prepare for an attack.

A security program should not be static but a living, breathing thing that is ever-changing based upon the observations you make and information you gather. It is a series of defenses and actions premised on what your opponent is doing to others, and perhaps will do to you. For this reason, technology alone won’t guarantee success. While best practices around firewalls, protection systems, network configurations, passwords and processes is essential, people—as in ALL the people in your company—need to play a vital role. This cannot be understated. While it’s true that people often cause cybersecurity risks and outright breaches through negligence or idle curiosity or ignorance, they can also be educated to help identify and stop bad behavior. That said, an annual security “training” program alone won’t do this. A continuous communication campaign that engages the employees and gives them a forum where they can ask questions and learn how to better protect their personal digital world will pay a nice security dividend. If you can show them how their efforts as an integrated part of your security team have paid off, you will have built a security function that isn’t static but considers the changing world. By using your company’s staff as part of your security program, you are now looking at the whole board!

– See more at: http://www.transaccelgroup.com/blog/2015/05/07/what-would-bobby-fischer-do-taking-a-cybersecurity-lesson-from-a-chess-master/#sthash.1u1vHupb.dpuf

My guess is that administrative controls are considered “soft,” focusing on management and training, and it’s pretty enticing to think that technical controls and physical controls will suffice for cyber security defense. Not a good idea, says Art Gilliland, senior vice president and general manager for Hewlett-Packard’s software enterprise security products in a recent issue of Computer World.

“…businesses and government agencies often focus on the next “silver bullet” product, unaware that most cybersecurity problems stem from flawed procedures and human error…invest in your people and process.”

In the broader world of business, success depends on the correct balance of the three main pillars: people, process, and technology. Within information security, are we creating a three-legged stool with one leg (technology) longer than the others? That can’t be good. Technology is an important piece of your arsenal, but insufficient by itself. Having sound policies, defining clear role-based processes and procedures, and providing communications and training for key stakeholders (which may include every employee) will create balance for the three-legged stool of information security. Policies and processes might sound like management overhead, but any organization desiring to provide consistent goods and services must have consistently applied policies and processes—i.e., CMMI, but that’s a topic for another blog.

Unfortunately, many IT areas don’t give communications and change management its proper due, which is why we focus on those areas as part of all of our client engagements. Information Security user awareness and training helps create a faction of employees who understand that they can be either a vehicle for threat actors to enter your environment, or sentries at the gate, raising an alert when something looks suspicious.

A one-legged stool is going to have you end up on the floor. While you are focusing on technical and physical security, your adversaries are busy figuring out how to leverage your employees to breach your environment. Remember, three legs: People, Process, Technology. Don’t shortcut people and process in cyber security.

The fact is that most companies still view IT and the CIO role through the narrow lens of providing technology-based services; they have not broadened that view to take into account the stunning changes wrought by digital technology. IT is no longer simply responsible for building, operating, and maintaining infrastructure; it’s responsible for data governance, driving growth through data analytics, cyber security, connectivity and integration. However, since most organizations are peering through the old lens of IT-as-service-provider, they are blind to IT as a revenue-producer. The irony here is that Sales, Marketing, R&D, Finance, and HR—those typically considered revenue-producing—are only able to do what they do because of IT and IT’s ability to stay ahead of the curve.

According to a recent IBM study of 4,100 C-suite executives, only 42% of CIOs were involved in strategy, as opposed to 72% for CFOs and 63% for CMOs. This is puzzling. Since IT touches everything, the CIO has an enterprise-wide vision that would be invaluable in integrating an enterprise-wide strategy. Luckily, the IBM study suggests that this is turning around—the CIO is soon going to be considered one of the C-suite “triumvirate,”: CEO, CIO, CMO.

Another reason the CIO role is more difficult than most is that it bears sole responsibility for ensuring business continuity through critical service level agreements that define uptime, availability and redundancy. At the rate of change today—BYOD and big data come to mind, besides the emphasis on ever-changing end-user demands and satisfaction—it’s a lot to juggle at once. Not to put too fine a point on it, the CIO is answerable in a very tangible way to every executive in the C-Suite as well as the end users, both internal and external.

Mary Shacklett, former CIO of FSI International and current president of Transworld Data says this about the role of the CIO today, “. . . virtually every aspect of the business these days is run on systems. When systems fail, even if the wrongdoing originates in business operations, the CIO is still a ‘best bet’ lightening rod to attract the blame.” Here Ms. Shacklett is responding to the resignation of Target’s CIO after the data breach last fall. To my mind, blaming the CIO underscores the notion that IT is still perceived mainly as the supplier of technology and that with the right technology, incidents like this would not happen. But this is patently not true. It cannot be the CIO’s job to absorb all the operational risk.

It is past time to realize that risk management is critical to your operations and adequate overhead should be provided for it. Preventative measures such as performing regular maintenance and security checks is not the place to economize; economies can be made by killing unnecessary demand and scrapping any projects that have either outlived their usefulness or whose value is questionable or negligible. Give IT the budget it requires to undertake the discipline, training, and governance necessary to do the job right. Data and operational security should always take precedence over functionality improvements if you are faced with budgetary constraints.

The U.S. economy for the past few years has been unkind to IT, and now that there seems to be a slight improvement, organizations will be making some overdue upgrades to their hardware, servers, and storage systems. IT will be at the forefront of these efforts as well as efforts to move to the cloud, coordinate the use of employee mobile devices, mine data, and maintain security. I read somewhere that the CIO is not unlike a conductor, orchestrating separate sections into a synchronized whole. I think that’s about right.

Give me your thoughts on how you see your CIO role. How are you/they addressing these challenges? Does the world look different from where you sit? What would you do if you were CIO or CISO?