There has been a far greater responsibility on the Chief Information Officers(CIOs) to understand the challenges, solutions and trade-offs in terms of the organizations they are a part of. It is equally crucial that CIO’s understand the plans and programs companies undertake to address the issues so that a better representation of the entire breadth of IT initiatives can be supported. Risk management has majorly been a high inertia subject for most companies and it is this unwillingness which makes organizations more vulnerable to attacks such as Equifax.
Three broader issues to consider-
- Security strategy and transformation
- Security operations and response
- Information risk and protection
The most important question every CIO must ask are-
- What is current level and business impact of cyber risks to the company? What is the preventive plan for damage control?
It is important to know which baseline protections are in place. An in-depth knowledge will show what are the pain points. An intrusion detection system might be handy in such a scenario.
- How is the leadership informed about the current level and impact of business risk?
Visibility is crucial. Executive management should be clear with the current situation and the IT security metric should help them take actionable decisions for the future. Documents such as a half-year or an annual information security report would be a good start which might include the latest trend in cyber activity, company’s current stance and areas of improvement consideration.
- What is framework for cyber security at place? Is it based on industry standard or if there is no industry standard, does the framework help in critical time?
Cyber security must address to good time as well as bad time. Industry standards for layered protection, DLP and a systems responsiveness under attack must all be checked for resilience. The cyber risk should be a part of enterprise risk management.
- Are tests such as vulnerability, penetration, red teaming, sandboxing being performed regularly to check organizations security strength?
These test not only shows loopholes but if done comprehensively also suggests the preventive measures to be undertaken.
- How does the company stack up to peer groups and is the companies cyber risk appetite in line with the business risk appetite?
This is a crucial equation because higher the exposure a business has to risk, higher it might tend to overlook the cyber risks. A CIO must look at the whole picture in terms of business needs and therefore make a plan to keep the management informed of the current threats, companies readiness and exposure.
Logix Infosecurity helps CIO’s in taking right decision for their enterprises by offering a suite of product with capabilities to match business needs. Our team of experts helps company’s understand the intricacies of managing cyber risks as well as support the initiatives by latest technology and tools to cover the exposure.