By Steve Winterbottom, CIO, Scientific Atlanta
If You Rely on Solely on Technology, You Will Be Vulnerable
All chief information officers (CIOs) want to add significant value to their business, but that only possible when you have the fundamental of information security in place. A successful information security program requires an urgent, yet balanced, approach. If you not delivering a secure environment, then you not going to be a successful CIO you may not even keep your job. A secure environment is a critical need for companies, and you are responsible for creating a culture that values information security.
No CIO wants to go in front of the audit committee of the board of directors to explain that the company has had a significant security breach. Having to do so after an issue has been made public is even worse. Things are more critical these days because information security faces a much broader set of threats than it used to, and they can have a greater impact on the bottom line. Forrester Research recently reported that the average security breach costs a company between $90 and $305 per lost record. And those breaches are more likely than ever to become publicome states require companies to report them.
Given that we are all linked electronically, and there are fewer boundaries between companies, how do you make sure you have a strong information security program in place?
Too often, people focus only on the technology side of things, and not on the people and the process involved. At Scientific Atlanta, we use a three-by-three action matrix. On one axis are three areas: people, process, and technology. On the other axis are three actions: Protect, Detect, and Respond. It helps guarantee that we address potential problems from a number of perspectives.
Certainly, there are a number of easy steps you can take on the technology side. You can run vulnerability management software that queries devices on your network to see if theye patched properly with the latest security updates. That will give you a report of devices that are missing patches or have other defects or holes. But you still need to have a process in place to ensure that the fix is made, though.
You also have to think about business alignment. Is the business concerned with protecting its intellectual property? Is there a fear of having the company name associated with information leaks? As a technology company, Scientific Atlanta is very concerned with protecting intellectual property. A consumer-based company might place a high value on its customersfinancial information. Every company responds to different aspects of risk, depending on its industry, its internal policies, and regulations.
To test our security, we bring in an audit firm to do what called a white-hat hacking exercise. People from the firm attack and try to penetrate our systems. More important, they also test our employees. They ask employees about their adherence to security policies. And they test us surreptitiously, using social engineering exercises to try to determine how many people would reveal their passwords in certain situations. When you report these results to management, and your grades aren good, that helps you build a sense of urgency. (Note: we do this testing almost continuously; if you do an annual exercise, people will know it coming and be concerned about security only then.)
Back in World War II, patriotic posters warned, oose lips sink ships.It was way to focus on the people aspect of security: even the most innocent discussion of the war could reveal sensitive information to potential enemies. In this electronic age, we have a host of new threats, but it important to keep that same sense of accountability for information security in our businesses.
Creating a culture of information security isn easy, but here are some recommendations:
- Convene a security council that represents key parts of your business. This council will highlight different viewpoints from across the enterprise and will be important advocates for information security throughout the business.
- Start with security policies about passwords and Internet usage. Communicate to employees what expected of them. One of the simplest but most effective policies we implemented was to insist that employees change the default passwords on all devices.
- Focus on a balanced approach that covers aspects of People, Process, and Technology with actions that focus on Prevention, Detection, and Response.
Any CIO who starts with these core recommendations can engage all levels of the company in the security battle. Using this foundation, you can go on to build a highly effective information security program.
