A recent report by the World Economic Forum (WEF) revealed that cyber risk is now the number-one concern of executives in advanced economies – as the sophistication of attacks, the technologies designed to defend against them, and the global regulations emerging to address them evolve rapidly.
Cybersecurity is no longer just a technology concern but an existential enterprise threat, and organizations are looking to CIOs to manage this major category of business risk, says Theresa Payton, former White House CIO and CEO of security firm Fortalice Solutions. “2018 is not over, and yet the cybercrime wave oddities continue,” says Payton. “We still have the old-school business email compromises, but we see that cybercriminals have added attacks such as cryptocurrency mining and using Internet of Things devices as newly unlocked doors into a company.”
[ Do your best practices need updating? Read DevSecOps: 7 habits of strong security organizations. ]
The Enterprisers’ Project talked to Payton about seven of the most important actions IT leaders can take as they plan their cybersecurity activities and agendas for 2019.
1. Test and correct
“One of the most effective – and efficient – things a CIO can do to protect their company is to prepare,” says Payton. That means not just working with the CISO and business partners to pull together the key elements of a cybersecurity prevention and response plan, but thoroughly and regularly testing it to see how well it serves the organization. “It’s a smaller investment to practice a digital disaster rather than to respond to a disaster without a plan,” Payton says.
“Make sure you’re thinking ahead, determine who reports to whom, and practice your communication plan. This exercise often indicates where you may need outside partners to help you with the incident response and recovery such as forensics, security, legal advice, and crisis communications.”
Payton also recommends rehearsing full restores and investing in ongoing risk assessments and penetration tests.
2. Stay more informed
CIOs and their key cybersecurity team members should not only educate themselves about offensive and defensive advances but become cyber risk news junkies, she says. “We caution CIOs that nation-state hackers don’t just target other countries, they will attack private companies. Therefore, be sure to review the alerts from DHS and FBI to see if your company might be at risk.”
As cybersecurity and criminal tactics are constantly in flux, IT leaders must understand the latest thinking. “CIOs need to know as much as they possibly can about cybersecurity, and I highly recommend that they stay a constant student,” Payton says.
Payton advises CIOs to invest in security conference attendance, but there are a number of free or low-cost options to stay on top of the space as well, such as following security experts on social media, exploring TED talks or virtual sessions from RSA and Black Hat, and exploring free security frameworks and guidance available like the NIST framework, The Center for Internet Security controls, and the latest discussions about the European Union’s GDPR.
[ See our related article, How to avoid a GDPR compliance audit: Best practices. ]
3. Align cyber and business strategy
“I’ll hear CIOs talk about cyber risk as if it is its own island of risk,” says Payton. “It’s not. Cybersecurity must be considered an enterprise business and architecture strategy.” CIOs are increasingly responsible not just for the technical aspects of cybersecurity, but the business impacts as well. “I’d encourage all CIOs to know the strategic business priorities of their organization and how security relates to those priorities,” Payton adds.
“Cybersecurity is, more than anything, a brand issue. CIOs must acknowledge the significant implications a negative event can have on a company’s reputation and do everything in their power to balance implementing technologies and creating interoperability while also fending off cybercriminals.”
4. Design for humans
The best-laid cybersecurity plans will go awry – period. “CIOs must design security for the human,” Payton says. “They can’t enact these processes and procedures that are so complex that regular non-tech employees find ways around them. You have to figure out where your company stands on the ‘secure-ease of use’ continuum and go from there.” Employees will use free WiFi hotspots. They will recycle passwords. They will respond to that phishing email, she says.
5. Get to know physical security
The lines between the digital and the physical worlds are blurring, and that has implications for cybersecurity as well. Smart buildings, for example, can introduce a number of new attack surfaces. “Many CIOs do not spend dedicated time with the head of physical security,” says Payton, “and this is [a] mistake.”
6. Be transparent
All CIOs know it’s not a matter of if, but when, their systems are breached, yet they may still view cyber incidents as a professional embarrassment. Looking ahead, IT leaders should shift that mindset by practicing – and encouraging – more openness on the cyber front. “If you plan ahead and still fail but recover quickly, that’s a success story,” Payton says. “Be open – and where you can be transparent about the incident, do it. People will applaud you for it and its value as a business enabler.”
7. Widen the talent net
The first female White House CIO, Payton is passionate about diversity and inclusion in IT and cybersecurity. “I often tell other CIOs and C-suite executives that they need to stop chasing the same resumes and degrees from the same colleges. Stop looking for the same alphabet soup of security certificates. Many of the best security and intelligence employees don’t have traditional backgrounds,” Payton notes.
“My biggest piece of advice to executives everywhere is to be creative, innovative, open, purposeful, and mindful about how a candidate looks beyond their appearance on paper.” Payton advocates for seeking out women, minorities, veterans, or disabled candidates who may not have the usual technical background but have the intellectual curiosity that will serve them well in this fast-moving space. “Consider retraining and retooling insatiable problem solvers,” Payton says. “Hiring outside the mold is crucial to innovation and success.”
[ Read our related story: Hiring security gurus: 3 strategies to find scarce talent. ]