This article was originally posted by John Lainhart and Dan Chenok on the IBM Center for the Business of Government blog.
As the world becomes more digitized and interconnected, the door to emerging threats and proprietary data leaks has opened wider. The number of security breaches affecting enterprises across numerous industries continues to grow, seemingly day-by-day. Once a topic restricted to the IT organization, it is now unquestionably a C-suite priority. A strong plan for risk management throughout the organization has become essential.
The IBM Center for The Business of Government has recently focused on how leaders and managers can understand, communicate, and get ahead of risk to achieve their mission. Cybersecurity is a core element of risk management in today’s interconnected world. As with other elements of risk, to address security requires a broader organizational focus than has been the case in many agencies and enterprises. To rely solely on the CIO to control all security matters is like relying on a single firewall to protect all types of threats.
More than ever, each leader in an enterprise must own a significant stake in securing data and intellectual capital that flows through an organization. The responsibilities for these security issues overlap organizational boundaries, as does the potential damage if things go wrong. For example, corporate Chief Marketing Officers (CMOs) or agency program leaders who focus keenly on reputation could find themselves at risk of losing customer trust and reputation if security violations result in the loss of personal information.
To succeed, the C-Suite needs to move toward a more systematic and proactive approach to addressing security threats and managing compliance requirements to unify their efforts in managing risks.
A three-point plan for the C-Suite
As a method to balance these responsibilities for combating security risks throughout the organization, government and industry leaders need to take three important steps toward building security intelligence:
1. Get informed. Take a structured approach to assessing business and IT risks.
Getting informed involves addressing IT security risk as part of a larger Enterprise Risk Management Framework. This structured approach to assessing business and IT risks includes identifying key threats and compliance mandates; reviewing existing security risks and challenges; implementing and enforcing risk management processes and common control frameworks; and executing incident management processes when crises occur. Another important action can be to empower a Risk Executive at the C-level who maintains regular interlock with oversight bodies and peers about security-related issues and drives the IT risk conversations into the organization. 0
The recently released NIST Cybersecurity Framework provides a roadmap for organizations to address cybersecurity, starting with critical infrastructure sector sectors (government and private industry).
2. Get aligned. Implement and enforce security excellence across the extended enterprise.
Security does not stop at the organizational boundaries. Successful organizations implement and enforce security excellence across the extended enterprise. This includes involving key stakeholders, including:
- Customers – Develop and communicate personal information policies. Remain transparent and rapidly address privacy breaches.
- Employees – Set clear security and privacy expectations. Provide education to identify and address security risks and manage the access and usage of both systems and data.
- Partners – Work with organizations across the supply chain to develop and implement supply-chain security. Report on and manage risks, including security incidents, as a normal part of business operations.
- Auditors – Align enterprise and IT risk. Contribute to controls frameworks and conduct regular reviews of regulatory and enterprise policies.
- Regulators – Manage regulatory risks and demonstrate compliance with existing regulations. Review and modify existing controls based on changing requirements.
3. Get smart. Use analytics to proactively highlight risks and identify, monitor and address threats.
As public and private enterprises need to bolster their security defenses, the use of predictive analytics plays an increasingly important role. They can do sophisticated correlation to detect advanced persistent threats, have a sense of governance, and have automated enterprise risk processes in place – all critical building blocks for enabling security intelligence. This includes the ability to:
- Identify previous breach patterns and outside threats to predict potential areas of attack
- Assess employee systems behavior to identify patterns of potential misuse
- Monitor the external environment for potential security threats.
In our increasingly complex and interconnected world, security risks are real and increasing exponentially. While solutions and strategies abound, there is one common denominator: security is more than a purely technical issue. Rather it depends on unification and input from multiple C-suite executives who can provide unique perspectives about risk, investment, and taking a preventative approach to security issues.