CIOs - Use 3 Cs To Play To Win At Cyber Security In 2017
By Ron Woerner, CISSP, CISM, Director, Bellevue University
• Categorize – Security is all about managing risk. The ability of a CIO to prioritize activities addressing security risks while meeting business requirements is a critical component of his/ her job. Risks are uncertain, misunderstood, and can change based on circumstances. CIOs must maintain a continual understanding of the likelihood of occurrence and the business impact of the risk in order to ensure proper security mechanisms are in place. Risk management creates a common language to identify, assess, and understand potential threats and vulnerabilities while identifying means for mitigating, accepting, or avoiding the risk. There are many methods for managing risks to choose from including the NIST Risk Management Framework (RMF), The Factor Analysis of Information Risk (FAIR), and ISACA COBIT Risk IT Framework. Pick one and leverage it to categorize your risks to meet business, technology, and security requirements in an effort to balance priorities.
• Challenge – Assumptions caused by a lack of awareness of basic security risks by business leaders leads to security complacency. Together, these create significant security risks that are often overlooked and therefore never adequately addressed. Sitting on the sideline isn’t an option for the CIO. She or he must have the ability to identify when this is happening, analyze potential impacts, and mitigate through collaboration. It’s asking the tough questions to ensure there are no surprises, which only lead to headaches for everyone. A common issue for security personnel is known as Spaf’s first principle of security administration: “If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong,” (from the seminal book by Professor Gene Spafford and Simson Garfinkel, Practical Unix and Internet Security). It’s as true today as it was in 1991. A successful CIO collaborates with security alongside business analysts to challenge assumptions, address complacency, and educate against ignorance. (Side note: I use a new form of CYA meaning Challenge Your Assumptions.)
By categorizing risks, collaborating across the organization, and challenging the status quo, CIOs can overcome security issues plaguing industry today in order to win at cyber security in 2017.
Founded in 1966, Bellevue University is a private, non-profit, accredited university that is focused on providing education and educational outreach. It serves its students globally with high-tech online learning portals.