It is always interesting to see how different people behave in different ways when faced with the same challenges. Depending on their maturity level and position the concerns will be different. A more junior staff involved in the daily hectic activities will probably be asking whether new events will mean overtime and new actions will have to be done. A manager will probably be concerned with the resources at hand and whether timelines can be met. A director and executive level will be looking into the overall strategy, how the new challenge may affect the already taken decisions and if additional spending will be needed…
However, few events today make such a big different and have so much influence in the decisions that the CXOs make such as security events in any shape or form. During recent times we, as part of this world, have lived many menaces and threats. The question is: is everybody aware of this? Does everybody know what being part of the current world means (as far as IT is concerned)? Many people try to continue with their normal life without giving much thought of what may come. I will give you an example…
I bet you that many CIOs and IT Directos have heard this from CEOs at some point in their lives:
“Will we be targeted by virus, threats, pirates or any other way of security threat?”
The answer is very simple:
“Of course you will, what makes your company special???”
That is the key in between having a company that will continue operating and those that take their status quo for granted thinking that there is nothing that can affect them because they have antivirus and a firewall. Please see below to reconsider your security:
As you can see not everything comes from external threats. IT security threats may come from any unexpected way. Blocking your external threats does not mean that you are entirely safe. Actually, half of all the threats come internally and, in many cases, purposely. People dont realize that there must be a culture around security, where people need to have control of their assets with very little left at random. It is really surprising when I speak with people about security and it becomes a topic that many prefer not to talk about and ignore just in case…just in case what? You should be ready and try to prepare your organization for the worst, hoping for the best.
I understand that talking with security experts may be worrying for some people. It is like talking with a insurance advisor. They will try to sell you all the possible policies in the book so you are “properly” cover. Of course it would be nice to be covered for every single situation in life, but what are the chances of you being struck by lightning? Well, at first thought you would not take that insurance, but if you are a storm catcher chances are that you will be “roasted” at some point…and likewise, the chances that someone will offer you then a life insurance policy will be extremely slim.
Having a look at what concerns all the CISOs is always the same: protect your data, wherever it may be. That is the core that you should be looking into in the first place, and that is where you need to start from: analyse and understand where your data is AND how it is treated.
Your valuable data should be protected with a plan I call an “onion security plan“, where your data is the core of your “onion” and all the layers covering are the layers protecting your inner business. You can establish a number of security measures but the closer you are getting to your core the more difficult it should be for anybody to get it.
It is not always simple to be on top of security as the “bad guys” are always ahead. But what is not normal is for so many companies to be so behind in the implementation of security measures. It is understood that being up-to-date is a very daunting task and not only because of the financial expenditure in CAPEX or OPEX to secure your systems. Many people forget the educational side and how employees can defeat even the most secured infraestructure should they use it inappropriately (like sharing password or internal information). Security information training for all employees should also be treated as highly important.
Bottom-line: You should not think that your business is of no value for hackers, pirates and the likes. They may not want your data…they may just be looking at disrupting your business putting bad reputation on you. Damaging your ability to operate may alter your services as they will not be as agile as those from other competitors, taking customers away. Remember that now everybody is expecting rapideness and almost inmediate reaction to their needs.