Stefano Ciminelli, Executive Director, EY EMEIA Financial Services, writes about the role of a CIO in improving companies’ cyber resilience.
News about data breaches is hitting the headlines, and the mainstream media is talking almost every day about new kinds of cyberattacks. By now we all know it is not a matter of “if” but “when” your company will be attacked, no organization is immune to cyber attack. And even strong, long-established organizations seem incapable of dealing with cybersecurity breaches smoothly.
Consequently, companies seem to be spending more on information security than ever before. Every organization I have come across as an advisor currently runs one or more security transformation initiatives. And given the growing pressure from regulators in terms of information security risk management, the trend won’t be reversed anytime soon. So how can organizations, instead of spending more, begin to spend smarter?
The optimization of a company’s approach to information security starts with the CIO.
Here are three questions CIOs – and organizations – can ask themselves to assess their current state and get started with optimizing their information security policies and systems.
1. Are we prioritizing our security investments correctly?
The majority of companies, especially in the financial industry, invest a considerable part of their security budget to run massive – and certainly vital – penetration testing campaigns.
What CIOs should be wary of is falling into the trap of focusing on the vulnerabilities identified through these campaigns at the cost of operational excellence. Fixing vulnerabilities does deliver positive results in the short term, but the decreased focus on operational excellence will itself generate new vulnerabilities in the mid to long term. And thus starts the vicious circle.
CIOs, in addition to fixing vulnerabilities, will have to understand what the most relevant threats to the organization are and the most sensitive information and systems that they should protect. They need to prioritize actions based on risk, rather than the amount of identified vulnerabilities and their criticality. Then they can invest effort and budget on executing periodic “Red Team” exercises (getting impartial security advisors to simulate real-case cyber-attack scenarios).
These exercises bring a great added value to the organization, resulting in a better understanding of the modus operandi of attackers – which is pretty simple, they persistently go after valuable information that could be stolen and sold quickly (such as credit card numbers, intellectual property and financial statements).
2. Are we focusing enough on protecting what matters the most?
Before embarking on multimillion, multiyear security programs, CIOs should make sure the organization has laid the correct foundations and addressed the business security risks.
Moreover, it is important that CIOs gather real-time intelligence related to cyber attacks against their organization.
To be successful, it is key for CIOs to be aware of what defines sensitive data, the measures the organization is taking to protect sensitive data, where sensitive data is actually stored, who in the organization is granted access to this critical information and, most importantly, who is accessing the most sensitive data right now – as you are reading this post.
3. How ready are we to respond to cyber attacks?
While incidents are unavoidable, you can always limit damages through establishing effective cyber breach response programs (watch this video). Organizations, regardless of their size of market share, should asses their security incident response capabilities. Depending on the maturity of the organization, they can then deploy technical tools and operational procedures, and keep them ready to be used in the event of an incident.
CIOs should make sure the “Blue Teams” (security employees or advisors in charge of defending the organization against cyberattacks) are well trained, technically capable of using incident response tools, aware of the incident response procedures and, ultimately, ready in the moment of truth.
While cyber breach response programs don’t have to be complex or costly, they should be able to answer the simple question: when things go wrong, who will I call to help me contain the attack and reinstate trust in my IT infrastructure? In this case, establishing a retainer agreement with an external advisor with security incident response capabilities might also be an option worth considering.
At EY, we operate on the principle: “The better the question. The better the answer. The better the world works.” I believe this applies to the cybersecurity arena as well.