How do you translate data security information to the board?The CIO, CISO and even the IT department can easily help senior executives to understand more about data security
IT departments have long been aware of the importance of keeping corporate data secure. Protecting what amounts to the life-blood of a company – data – from external attacks and insider threats is the bread and butter of the CIO and CISO.
However, until recently other members of the C-suite had limited engagement with the issue of security. This shift is accelerated by the broadcasting of high-profile data breaches – suddenly data security and risk are more tightly interlinked.
A single breach can inflict significant financial damage on a company (in addition to public embarrassment and reputational damage). In 2014, 42.8 million security threats were detected – a 48% increase from the previous year, and the financial impact these incidents was severe, costing companies $2.7m on average.
It is no surprise therefore that most members of an organisation, from the IT department to the boardroom, make it a priority to protect company information.
The upsurge in awareness around data security at the C-suite level has taken place over a very short time, and this poses a particular problem for security professionals in terms of providing the board with the relevant information they need.
More than one third of directors are currently dissatisfied with the quality of information they get regarding cybersecurity risk, and more than half are unhappy with the amount of information provided.
So what does this mean for the IT department? CIOs and CISOs need clear strategies and a regular cadence for educating the board on data security issues.
Getting priorities right
The sheer volume of potential risks and vulnerabilities can seem overwhelming, so it is essential that the CIO is able to focus board members’ attention on relevant security threats, and even more importantly, to present a prioritised plan of action for dealing with them.
The idea is to make sure that the information presented to the board is easily digestible. Information should be free from technical jargon, and concepts should be broken down using business terms and analogies that easily drive the message home.
The first step to take when prioritising mitigation of threats is to undertake an enterprise-wide risk analysis and create a baseline cybersecurity profile. This approach lends itself to highlighting particularly high-risk areas to the board, and directing its attention to the data that is in the greatest need of protection.
Verify your findings
Conducting a risk assessment of company data is likely to go a long way towards bringing the C-suite up to speed with the most pressing security issues in your organisation, but a little external support is likely to lend extra credence to your arguments.
Enlisting a reputable third party to provide the board with a risk profile assessment could be a crucial factor in convincing the board of the need for greater investment in information security.
Once the most significant threats have been identified and verified, a CIO must make sure the board understands the IT department’s incident response plan, and each C-level executive’s particular role in the plan.
This is an ongoing process, and involves keeping abreast of emerging best practices, regulatory expectations and standards. It is also important to provide the C-suite with regular updates in relations to threats and the incident response plan.
Implement the correct tools
Providing the board with regular information security reports is often a time-consuming process due to the effort involved with collating and analysing all the relevant data. However, if the IT department has a data-centric endpoint security solution in place, the process can be simplified significantly.
Implementing comprehensive endpoint data protection software provides the IT department with visibility and control of the data stored across employees’ laptops and workstations, allowing IT to identify and rapidly respond to and remediate leaked data and security threats.
The ultimate solution should update forensic information automatically whenever a machine is connected to the internet, providing insight into where and when data was created, if it has been changed or deleted, who has done it, and from where.
Armed with the information provided by an overarching data security strategy – via important tools such as endpoint data protection – the IT department can provide the board with regular updates on the organisation’s security posture.
Get the whole C-suite on board
Of course, one of the simplest ways to ensure that executives have all the data security information they require is by liaising with them on a regular basis.
Make sure all of the board members understand their role in the IT department’s incident response plan, and ask them if they have all the relevant information they need to make key decisions.
As long as you have the correct tools in place for analysis of threats to information security, packaging this data and presenting it to the board should be a simple and mutually beneficial process.
Sourced from Andy Hardy, EMEA MD, Code42