Every IT department in every discipline and every industry is facing rising security threats. Attacks are becoming more complex and sophisticated, and CIOs everywhere are trying to figure out what to do about it. I believe one of the most effective ways to approach security is with good old-fashioned leadership.
You can’t blame the Chief Information Officer or the Chief Information Security Officer for attacks unless they have the authority to affect every employee. And typically they don’t. The folks who do are the managers and leaders within that organization. So while the CIO and CISO play a critical role, ultimately security is a matter of leadership. It’s a matter of every employee taking the appropriate actions every day to protect the organization. When security incidents do happen, they must become learning experiences that strengthen the organization.
In recent years, we’ve seen the threat environment transform from independent actors to organized crime and nation states. When I talk about security these days, I tell folks not to picture a kid eating pizza and drinking Jolt Cola. The picture you should have in your mind is of a corporate boardroom with everyone in a coat and tie. It’s very professional and coordinated because there’s so much money involved.
We’ve gone from being able to ignore zero-day attacks because they weren’t targeted at us, to having every zero day targeted at us. At this moment, we have nation states actively targeting us with disruptive denial-of-service attacks. As a result, the degree of responsiveness we need has significantly escalated.
Despite the increased threats, we’ve been able to reduce our security incidents significantly during the last four years. How did we do it? Through a combination of technology tools, policy and shared governance around security, and through education, training and awareness activities.
Building a system of leadership accountability
One of the first actions I took as CIO was to develop a built-in system of leadership accountability around security. When I started, the number of computer abuse and attack incidents was increasing along an exponential curve. So we set an institutional precedent and built an escalation chain where for each reported incident we triaged it as a low-, medium-, or high-threat incident. The timelines for responding to the threats were tied to the type of threat it was. We also used an escalation path that went from the individual department, up to the institutional CISO, up to the institutional CIO, up to the institutional president.
As we were building out this escalation chain, I told the presidents that if a security incident was ever reported up to their level that their first action should be to fire their CIO. I told them their CIO should be able to handle these incidents without involving the president. As you might imagine, the results have been dramatic — an 87% reduction in security incidents. Why? Because nobody wants to involve the president in a security breach; they know what will happen after they place that call. In essence, we've moved from a system where there was no accountability to one where the accountability was nuanced and based on the nature of the threat.
Security is not a destination — it’s a journey.
I think it’s a myth that we can build a perfect defense — that there’s a combination of technology that will perfectly protect a device. Short of disconnecting your device from the network and powering down, you’re going to be at risk. And I believe it’s up to any organizational leadership to guard against it. That’s a change, and that’s why I say there has to be a match between accountability and authority at our universities.
If you can establish the right metrics and build the right mix of technology, policy, education, training and awareness, then I believe you can dramatically lower your risk. You can’t eliminate it, but you can lower it.
We’ve done this by collaborating with our 31 institutional CIOs, asking them how we can build the right systems and establish the right policies to support secure operations. Our resulting policy documents included their feedback.
We’re still not there yet, because security is not a destination — it’s a journey. But we are becoming increasingly sophisticated in terms of how we defend our systems. And part of that is just based on old-fashioned leadership.
Read more about how CIOs can verify the security of external systems.
Curt Carver is the Vice Chancellor and Chief Information Officer, Board of Regents of the University System of Georgia.