One of the most important jobs that the person with the CIO job is asked to do is to secure the company’s networks because of the importance of information technology. The good news is that the tools that are available to do this are always getting better and better. The bad news is that the weakest link in the security chain, your employees, seems to be becoming weaker and weaker. Too many CIOs are making it easy for the bad guys to get in to their network. What can a CIO do to create a cybersafe company?
Lots Of Information
The good news for the person in the CIO position is that their employees are getting smarter about the threats that are out there. I would be willing to bet that most of your employees have probably heard about, and experienced, phishing. The problem is that although network attacks like this are crude, they still have a 1% to 3% success rate. Just to make things worse, there are additional types of attacks called spearphishing that use highly customized data in order to get the recipient to click on a link. They have a much higher success rate.
What kind of cyberculture do we live in today? Its one in which your employees are willing to share all sorts of personal information. They are also willing to try all sorts of new things. Both of these can be good things; however, at the same time they can both be dangerous. What this means for CIOs is that you are going to have to start to change the culture within your company. This is a task that will not be easy and it’s not going to be something that you will be able to do quickly. However, it is something that you will need to do if you want to be able to secure your company’s network from criminals. The bad news for CIOs is that that traditional ways of getting the word out about cybersecurity does not seem to work. These methods include distributing fliers, sending employees to one-off training classes, or having them view instructional videos. Employees don’t seem to retain the information that they have been given and even more importantly, they don’t seem to change their behavior.
What’s a CIO to do? Just telling employees that cybersecurity is important and that there are things that they should not be doing will not accomplish what you want to get done. You can take things a step further and attempt to show them the effects of security mistakes that they make. This can provide a powerful visual image for them to see; however, in the end it probably won’t change their behavior. Instead, what it’s going to take to make the changes that you want to see is the reaction of your employee’s peers. They need to realize that cybersecurity is not just about them, but it is also about the other workers that their actions are going to affect. It’s going to be about how their security lapses affect the people that they work with.
Curiosity Killed The Cat
CIOs need to understand the challenge that they are facing. Their employees are basically not aware of the cybersecurity challenges that they are currently facing. People don’t realize the potential dangers that they are exposing both themselves and the rest of the company to on a regular basis. In order for a CIO to create a cybersafe culture at their company, they are going to have to start by making sure that everyone is involved in security. The problem that you’ll be dealing with here is that cybersecurity is often seen as being a technology issue. It’s something that the IT department is responsible for taking care of. However, the reality is that cybersecurity is the responsibility of everyone and requires an active effort on the part of all employees.
You are not going to be able to implement and effective cybersecurity program if you don’t have good leadership. When it comes to cybersecurity, employee motivation to secure the company will not just suddenly show up. Instead, within the company there is going to have to be very clear support shown from senior management. The company is going to have to have a manager who has been designated to handle cybersecurity and this manager is going to have to have a team that is going to help to make this happen. They are the ones who will be responsible for developing, supporting, and sustaining a culture of cybersecurity.
If you want to create a culture of cybersecurity, one of the easiest ways to make this happen is to put a series of passive solutions in place. These types of solutions need to require either no or minimal thought by employees to implement. Examples of solutions like this include segregating the portion of the corporate network that is used by employee’s personal devices from the rest of the corporate network. Something else that can be done is start to filter all employee emails. When an employee receives a suspicious email, it should be placed in a separate folder. This will serve as a reminder to your employee that they need to treat this email differently and verity the sender before clicking on any links that it may contain.
What All Of This Means For You
On top of all of the other jobs that a CIO is required to perform, CIOs have been tasked with keeping the company’s network secure. However, even as the tools to secure the network have gotten better, the company’s employees have remained a weak link in the system. If CIOs want to implement an effective cybersecurity solution, then they are going to have to find a way to fix this problem.
The problem that CIOs are facing is not an issue of awareness. Most employees are aware that they are facing potential security challenges and that things like phishing exist. Your employees are all too eager to try new and different things. You are going to have to find ways to change your corporate culture. The problem is that all of the traditional ways that we have to go about doing this won’t work. In order to get your employees to change their approach to cybersecurity you are going to have to make them aware of how their actions can impact the people that they work with. CIOs are going to have to get everyone involved in the company’s cybersecurity program. The program is going to have to have clear and visible leadership. The best kind of solutions to implement are the ones that require no effort on the part of employees.
If CIOs want to secure the company’s network, then they are going to need the assistance of the company’s employees in order to make this happen. The challenge is going to be that the employees are not aware of just how vulnerable they are making the company. CIOs are going to have to design programs that will show the employees what they need to both start doing and stop doing if they want to have any chance of keeping the company’s IT assets secure.
– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™
Question For You: Employees will always be curious, what can CIOs do to make employees think before doing something stupid?
Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!
What We’ll Be Talking About Next Time
As the person with the CIO job, you have a lot on your plate. You need to make sure that the company’s networks are kept secure and you need to make the right decisions about new technology that the company is considering because of the importance of information technology. However, you also have to remember that you are a manager and that the IT department is your responsibility. You need to make sure that your department is running as smoothly as possible. What this means for you is that you need to be aware of the effect of rudeness.