CEOs and Information Security
Yes, I said CEO, not CISO or CIO! It’s not a typo.
What’s the most important thing you can do as a CEO to improve your organization’s overall information security? Is it hiring and retaining top quality information security technical expertise? Is it purchasing and installing the latest and greatest information security, antivirus, and intrusion detection software?
While having qualified information security technical experts on your team and having the best information security software & systems in place is critically important, there is one fairly simple thing you as a CEO can do that rises above all else.
And that one thing is having an understanding of your organization's information security awareness, and your organizational maturity towards fostering greater awareness on the part of all your employees.
Most significant breaches take place not because of some mastermind technical hack, but because some employee somewhere gave away the keys to the store through falling for social engineering, or a phishing attack, or downloading malware, or some other human based attack vector.
Improving employee awareness is often the missing or overlooked link in an effective information security program.
All the best experts and software in the world won’t protect you if someone decides to hand out all the payroll information to a spoofed email request from the CEO that actually tracks back to some criminal in China or Eastern Europe.
Information Security Organizational Maturity
Organizations can be assigned one of several broad categories in terms of their organizational maturity concerning information security. As usual for "us IT types", these categories are examined in terms of People, Process, and Technology.
From low to high/worst to best they are:
Infancy - no dedicated staff are assigned to focus on information security, no formal program for information security exists, and no controls are in place.
Childhood - someone has been assigned to lead information security efforts (usually IT), some risk management policies in place, some controls established with marginal documentation. No one tests the process though.
Adolescence - staff roles and responsibilities start to become more formalized, information security policies and governance committees start to gel and become part of the operation, controls are documented but not fully optimized. Some testing for compliance takes place.
Adulthood - the organization supports continuous improvement for security training & skills, processes, and technology. Processes are in place across all parts of the operation, assessed on the basis of risk, and constantly measured. Controls are universally implemented across the entire organization.
Generally, organizations at lower levels of maturity rely almost exclusively on IT to “protect the enterprise”, and most non-IT employees (including senior management!) either are totally unaware of or do not believe they have a role to play in the preservation or strengthening of the organization’s information security.
By contrast, organizations at the highest levels of maturity fully understand that information security is everyone’s job, and not solely the responsibility of the IT department. Senior management is the driver behind the solution, and all employees undergo routine and continuous information security training, exercises (e.g., “friendly phishing”), and corrective actions as a formalized ongoing corporate or organizational operation.
Where does your organization stand on the maturity spectrum? What can you do today as the CEO to improve it? Contact me to learn more about ways we can help you improve your information security organizational maturity!