How CIOs can create a culture of security awareness
By David Weldon
Numerous studies have agreed that IT security is the top concern among CIOs this year, especially with the topic rising to discussions among top boards of directors. That makes it critical that CIOs be able to communicate security risk at the executive level, and obtain buy-in for security investments.
But as Micheal Flickman, chief technology officer at Diligent Board Member Services noted, those discussions probably shouldn't be happening directly between the CIO and the board. Instead, the CIO should create an overall security awareness campaign among the various line managers, and enlist them as champions to the cause.
Flickman sat down with FierceCIO to share his thought on what is currently happening in the IT security space, why many organizations fall short and what IT leaders should be doing immediately to best protect their organization and create a culture of security awareness.
FierceCIO: Please tell us a bit about Diligent Board Member Services.
Michael Flickman: We are a company of about 270 people. Our headquarters is in New York. We have additional offices in Christ Church, New Zealand; Charlotte, North Carolina; London; Sydney; and Hong Kong. The technology organization as a whole is about 140 people, and that includes various flavors of IT, whether it be in security, engineering [or] product development--which includes software development and QA.
FierceCIO: Who are your primary customers?
Flickman: They're really all over the place, but certainly the Fortune 1000 space. We are extremely strong in financial services, and we've big in nonprofit, government and academia.
FierceCIO: How would characterize the period we are in right now from an IT security perspective?
Flickman: I think the risk to business is getting more dramatic every day, every week, every month. We're seeing more cybersecurity incidents happening on a daily basis. We just saw a pretty substantial break at Blue Cross and Blue Shield. It's a never-ending battle. You always have to stay a couple of steps ahead of these attempts to thwart your systems, and that includes your data centers, your applications--it's the software, it's the environment, it's the people. It's getting more critical every day.
FierceCIO: Do you think IT security is doing a good job of keeping pace, or are the bad guys getting an edge?
Flickman: I think it varies. What we're seeing is that: there's a breach, and then we're patching those holes and learning from that, and from there taking it a step further--we're understanding the patterns and the techniques they're using to try to thwart our systems. So anytime there is a vulnerability we see that as an opportunity to understand a different pattern or algorithm and broaden our depth and reach. So I think you're seeing a bit of a leap-frogging here and there between the security professionals and hackers.
FierceCIO: What about at the board of director level--Are boards really taking note of cybersecurity and making it a higher priority?
Flickman: I think so. If you look at what Diligent is known for, certainly security is one of the main aspects of our product and our company, our infrastructure, everything about it. I can assure you that whether it be with new clients or existing clients, we're always having ongoing discussions about what we're doing with our product. We're always adding to the security capabilities of the product. New clients always want to discuss in-depth about our security, about our application; how it's built, how it's secured.
FierceCIO: What is the role of the CIO and the CTO in terms of preparing the board to understand the security risks and vulnerabilities?
Flickman: When you're talking about cybersecurity, if you're talking at a board level and you have a CEO-to-CEO engagement, it's really your technical staff that wants to get into the specifics. At the initial conversation there is obviously discussion about best of breed security; what we're doing. You may talk about your security department and some of the standards, some of the various programs that you're certified in. But at that point it usually drops down to the next level and you're having a conversation between CIO, CTO, security staff. That's where they're really doing deep dives into audits, infrastructure, penetration testing--it drops down to the senior technologist level quite fast.
FierceCIO: Are companies putting enough budget and resources into IT security?
Flickman: Certainly with the clients that we typically speak with, yes. They typically have a chief security officer or a dedicated security team. It isn't unusual for us to have those deep technical discussions with our security counterparts in those companies. If you're dealing with a smaller organization, it's possible they may be outsourcing some work or that they don't have a dedicated security person. Maybe they just have some security-aware people. That gives us an opportunity to help educate them on what their vulnerabilities are in general.
FierceCIO: When you first become engaged with a client what are some of the common IT security mistakes or shortcomings that you see?
Flickman: The first thing is that you should have a dedicated security person or team. It obviously depends on the size of your company. It's a moving target, and having very deep technology capabilities in the security space is pretty critical nowadays. It really warrants having your own group of individuals that specialize on that. Then it's a matter of possibly engaging with third parties to do audits, to do testing.
Sometimes companies don't even follow the basics. They don't encrypt data at rest or in transit. They're not doing network audits. In many cases we're seeing Security 101 [issues]. In some cases they're so caught up in these deep dives into security that they're missing some of the easy stuff.
The other thing is, your company should have an on-going security awareness program. You should be talking to your employees as well and testing them. Having dedicated security personnel, looking at some of the basics [and] having an ongoing internal awareness program are all part of the broader security planning that companies should be implementing.
FierceCIO: Do most companies understand that this is what they need to be doing?
Flickman: I think they understand it but they're not necessarily doing it. They're typically a little more reactive than proactive until something happens. The event may not happen in their company--it could be in their space or it could be somebody they're dealing with, and then it's [a] scramble. But I do think things are getting better.
FierceCIO: How does the CIO or CTO best approach the CEO and walk them through the risk assessment?
Flickman: There are a couple of things they can be doing. One is, I wouldn't necessary make this a CTO-to-CEO conversation. I think it's a matter of getting your core business heads together and creating a security awareness program where you understand their business, the type of people they're dealing with, the type of data they're dealing with, the systems they're dealing with, and then expose possible vulnerabilities--not necessarily to their systems, but what would an exposure of a particular type of vulnerability be for you, as the vice president of sales of a company, or as medical director in a hospital. Here's what could happen, and here's what the ramifications of a breach would be. Come to those meetings--and those should be ongoing meetings--with what your proposed solution would be. I think it's more about having that CTO-to-line of business discussion, and engaging the line of business.
FierceCIO: What is happening in the staffing front around IT security?
Flickman: It's difficult. It has obviously gained in popularity if you're a technician. So if you're working in the IT field, you know security pays well and is a hot topic. But it is the really experienced people who are typically the innovators in thwarting these attacks. For the CIO, I think it's a matter of putting a robust staffing plan together, recruiting out of some of the larger organizations, recruiting out of the government, recruiting out of some of the large academias that are known for this.
FierceCIO: What advice would you have for the CIO or CTO for how to make 2015 the most secure possible, from a cybersecurity perspective?
Flickman: One is, start today. Understand your line of business well. Understand where your data is, how it's stored, and what the vulnerabilities are. Work with the lines of business, and even if you have to go to a third party while you try to grow your staff, put a plan in place that is constantly monitored and with constant education for working with the rest of the executive team. The longer you wait to do it, the sorrier you will be.
- CIO finds new ally in CFO for increased security investments
- Don't let IoT become a threat to enterprise security
- Risky employee behavior, cloud security are top IT security concerns