Implementing Your Company’s Cybersecurity, Military Style

You can never have too much cybersecurity
You can never have too much cybersecurity
Image Credit: Randen Pederson

Implementing a cyber-defense system for your company sure sounds like a good thing for the person with the CIO job to do. Just exactly what does that mean? I guess you purchase and install tools that will allow you to detect if the bad guys are able to get in, you create policies for what various people are supposed to do if this happens, and you make sure that your most precious assets are safely hidden away even if the bad guys get in. Putting all of this together is good, but how do you know if it will work? Sounds like it might be time to go have a talk with the military.

How The Military Makes Sure That Cyber Security Works

If you’ve gone to the effort of creating a cyber-defense system for your company, then the natural next step is to make the effort to determine if you’ve done it correctly. This is where the military can show you the way. What you are going to need is a “hands on” training opportunity that will put your network security team through their paces. What you are going to want to do is to test all of the security, policies, tools, and teams that you have put into place by simulating breaches of your network.

Where do most companies fall down when it comes to preparing their cyber defenses? In surveys of IT security professionals, they all pretty much agree that most security teams are simply not prepared for a real intrusion to occur. They believe that insufficient planning and preparedness is most company’s #1 barrier to being able to achieve a high-level of so-called cyber resilience – being ready for bad things before they happen.

So what is the person in the CIO position to do? The experts generally agree that providing your security teams with practice is what is required in order to allow them to prepare for the real thing. Giving them an opportunity to practice how they would respond to an external cybersecurity threat while they are in a safe, controlled environment before a real breach happens is the key to allowing them to develop the skills that you need them to have.

To Defeat A Hacker, You Have To Learn To Think Like A Hacker

One of the things that most companies have started to realize is that there are limits to the defenses that smart, well trained people can create. At some point in time you need to allow your IT security team to go into a lab environment and test what they have created. What you are going to want to do is to use the team’s knowledge about what is going on in the world in order to create simulations that reflect the latest emerging security threats that your company is likely to face.

This kind of real-world testing is designed to allow you to determine where your company’s defenses have gaps. The goal is to get your team to determine how they would respond to a set of various threat scenarios if / when they actually happen. The goal of all of this testing is to not only find vulnerabilities in the company’s network, but also in the security training that has been provided to employees as well as in the corporate security policies that have been developed.

As the company’s CIO, your goal needs to be to get your IT security team pumped up and eager to evaluate just exactly how ready they are going to be when the bad guys come knocking. What you need to understand is that you are trying to prepare your security team in exactly the same way that the military tries to prepare their soldiers for combat. What they have discovered is that the best way to get a team ready for what they are going to be facing is to provide them with a training environment that mimics the real-world networking environment so that your team can improve their preparedness.

What All Of This Means For You

The importance of information technology means that securing our networks has become a critical part of what it means to be a CIO. Putting the proper protection in place consists of training our staff, purchasing security tools, and establishing company security policies. However, all of this effort still leaves us with the open question: when the bad guys show up, will the company be ready?

Using book knowledge to create a company’s cyber defenses is what most of us do. However, that’s not enough. The next step is that we have to have some “hands-on” experience for our IT security teams. The goal is to provide your team with real-world security experience and help them to understand where holes may exist in training, products, or company policies.

We all understand that the company’s network will be under assault each and every day. As the company’s CIO it is our job to make sure that the network and the company are both kept secure. Purchasing security tools, training staff, and implementing company policies are all part of what we need to be doing. However, we also need to provide our security team with an opportunity to deal with simulated attacks in a hands on fashion if we want them to develop the skills that they are going to need in order to keep the company safe.

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: How many times per year do you thinki that you should set up hands on training for your security team?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

As the person with the CIO job it is your responsibility to make sure that your direct reports are doing a good job of managing their staff. After all, collectively these are the people who make up your IT department and your ability to deliver on the importance of information technology depends on their abilities. If you have a lot of turn-over in your IT department, then something is not right. You’re going to have to take a careful look at how your staff is managing their millennials.