3 offensive moves to help CIOs defend digital security

3 offensive moves to help CIOs defend digital security

380 readers like this
CVE explained

Managing one’s state of digital security (or more accurately, insecurity) today is really built on three pillars.

1. Responsive posture

There is no doubt that hackers are attacking my network of 30 colleges every day. We catch some of those attacks; others, we don’t. The sheer volume of these exploits is driving a shift in the industry from detection to response. And that’s where winners in online security are being separated from losers right now. The question is not how quickly can we sense an attack, it’s how difficult can we make it for the attackers so that they move on to somebody else, and how rapidly we can respond when something does happen.

To give you some idea, here’s how quickly you need to respond in today's environment:

  • Example 1. One of our employees succumbed to a spear-phishing attack that started a cascading effect of using that person’s credentials to attack other people. We were able to block it almost immediately and then completely shut it down within 20 minutes. I credit our organization’s response to a stance of moving swiftly and limiting damage.
  • Example 2. In the old days – a few years back – it was possible to receive a software patch and evaluate it for up to 30 days before deploying. The last figures I’ve seen show that when a patch is released, you have between four to eight hours before a potential attack based on the fact that the patch is on the street and hackers can reverse-engineer the vulnerabilities that are contained within the patch. Companies exist today that are detecting these attacks as they occur in eastern countries and then trying to ensure sure that the defenses are in place before the sun rises in western ones.

2. Responsive management

All this said, even as attacks are becoming more sophisticated and more frequent, the basics of security remain.

  • You need a robust endpoint protection system that’s looking not only at desktops and laptops, but at mobile devices as well.
  • You need protection across the spectrum of virus, malware, mobile device management and patch management.
  • You need top-notch network management that almost works like an automatic adapted system. Clearly, the days of being able to review security logs at the end of the week, or even the end of the day, are gone.
  • You need disaster recovery and business continuity solutions. If you suffer a security disaster, have you figured out how you are going to do business continuity? This involves a substantial investment of resources, and typically involves the CEO of the company.

3. Responsive culture

Of course, the weak leak and the strong link in security is ultimately your people. Even if you define a formal risk management program where you characterize the real risks to your data and to your enterprise systems and you prioritize remediation of that risk to an appropriate level, unless the entire organization or corporation is on board with that, you’re going nowhere.

Think back to my patch management example. Let’s say you’re ready to implement new patches right away, but you’ve got some faculty member or manager who, for political reasons, is insistent that he or she retains the right to patch his system. Then you’ve got a real problem. Organizations need to do the appropriate checks, but do them very quickly, and then deploy the patch. So how will you get everyone on board?

Disasters large and small will come to you. Target and Sony and countless other examples prove it. That means your IT staff and all your employees need to think in terms of working as a team when it comes to security. Make no mistake: one of these exploits handled the wrong way can get you fired.

This time it’s personal

I’d love to say that security exploits and professional hackers don’t get under my skin, but they do. There is clearly emotion associated with all this, and that emotion has to be managed. After all, this is one of those areas where personal attachment and job security directly intersect. Not only that, if the exploit is of sufficient scale, it could affect you even after you leave your company and limit your long-term employability.

That’s why the best defense, in security at least, really is a good offense.

Curtis A. Carver Jr., Ph.D. is the Vice Chancellor and Chief Information Officer for the Board of Regents of University System of Georgia (USG). In this capacity, he oversees a statewide educational infrastructure and service organization with more than 190 innovators and more than $75 million annual investment in higher education. He also provides technical oversight of the USG Shared Services Center. Dr. Carver has led the transformation of IT services by partnering with USG business owners, institutions, and other state agencies to jointly solve problems.

Curtis A. Carver Jr., Ph.D. is the Vice President and Chief Information Officer for the University of Alabama at Birmingham. In this role servant leader and enabler of others, he leads a team of dedicated professionals focused on providing solution to the UAB through world-class IT with a focus on innovation, agility and cost efficiency.

7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Sachin Gupta
January 22, 2021

Remote work brings new challenges to the hiring process. These interview questions can help you gain insight into a candidate’s communication skills, initiative, and more

Submitted By Yoav Kutner
January 22, 2021

Think you know how to motivate your team? You might be surprised. Consider this advice on what inspires people to work hard.

Submitted By Lee Congdon
January 21, 2021

By establishing flexibility, cost-effectiveness, business partnerships, and a culture of ownership and accountability, we successfully dealt with great change.


Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.