Why CSOs should care about IT
By By David Shearer CISSP
The role of chief security officer (CSO) is evolving. Not only is the position one of the most prominent within companies, with collaboration between the chief executive and chief operating officers occurring regularly, but the security threats they are facing are always changing. High profile cyber attacks over the past several years have raised the organizational profile of CSOs, as well as their responsibility for facing a variety of threats.
By By David Shearer CISSP
There is a growing emphasis on cyber security and the necessity for IT to be incorporated into the overall plans of the security department. The goal of protecting the company and its assets is paramount for both the IT and operational security departments. Collaboration is key.
Just as a bank would lock their vault, organizations and their CSOs need to determine what their most valuable assets are, so that they know what to protect. Important information – client lists, passwords, financials and more – was once only stored physically. Now it is stored digitally as well, increasing the number of threats to mitigate. Collaboration between CSOs and chief information officers, or other department heads in IT, can help tackle challenges from all sides to ensure a more cohesive plan; and in turn, a more secure organization.
However, this is not always the case. In September 2015, the Ponemon Institute conducted a study of more than 600 IT and IT security professionals, finding a stark lack of cooperation on security issues across departments. Collaboration was described as “poor” or “non-existent” by 32 per cent of respondents, and only 44 per cent said they believed their organizational leaders recognized how important good cyber security is to managing risks.
CSOs also need to be aware of a growing trend in cyber security – insider threats. Background checks, drug screenings and even personality tests have long been security functions in the interview process for prospective employees. However, the role of security should not end at onboarding. Monitoring employee behavior and activity is key to mitigating risks before they can occur. Tracking employee activity online is as important to the security of an organization as the security cameras in office hallways. Security concerns should not be limited to malicious employees. Negligent employees who are unaware of even the most basic security best practices can pose one of the greatest threats to an organization’s security.
IT professionals within an organization need to have the authorization from the CSO to communicate with employees of all departments to advise them of potential risks as part of company security training. Just as operational security would advise employees not to allow random visitors into the office, cyber security needs to have the same authority to advise against the possibility of allowing malware of any kind into an organization’s digital infrastructure.
CSOs own the security of their organization and should utilize all departments available to them to help achieve their mission of safety and protection. As IT becomes more ubiquitous in our personal and professional lives, we increasingly rely on the conveniences that technology provides. Unfortunately, bad actors look to these seemingly ever-expanding conveniences as new exploits. Within the corporation, beyond traditional office automation solutions, situations like facilities with embedded IT and manufacturing with embedded industrial control systems (ICS) need to be considered in the organization’s cyber security plan as part of the attack surface. Consequently, most would agree that when it comes to the CSO’s area of responsibility, it’s an ever-expanding universe.
David Shearer is chief executive officer for (ISC)², www.isc2.org