The person with the CIO job, you, is the person who is responsible for securing the company against attacks from outside. We all know that try as we might, we’re not going to be able to prevent the bad guys from trying to break into our networks. However, given that we know that they will be coming our way, what kind of obligation do you think that we have to tell the world when the bad guys do come knocking on our door? We can keep quiet about it, or we can tell everyone. What’s the best thing to do?
What Happens When CIOs Keep Quiet
When you are in the CIO position, you are responsible for knowing everything that is going on in your company’s IT department because of the importance of information technology. Any sort of cyber-attack is clearly something that falls into your area of responsibility. Your #1 responsibility will be, of course, to defend the company against any such attack. This can be a very dynamic situation and it may require you to call upon many different company IT resources. Additionally, you may also find yourself going to outside firms in order to get the defensive help that you feel that you need.
Once the attack is over and the bad guys have gone away, you then have an important decision to make. You now need to make a decision as to if you are going to be willing to let the world know that you’ve come under attack. One of the key points that you may want to keep in mind is that many other CIOs have chosen to not publically report it when their firms are attacked.
Because of the decision that they have made, what has happened is that other CIO really don’t have a firm grasp of the scope of the threat that their firms are facing. What it also unfortunately means is that when they are being attacked, CIO generally don’t know the best way to defend their firm. What they are going to do is to end up relying on anecdotal information in order to try to determine what will work against the next wave of cyber-attacks that their firm has to deal with.
The Power Of Sharing Information
Clearly, when it comes to cyber-attacks, having more information puts a CIO into a better position to defend the firm. If a CIO does disclose that his or her firm was hit with a cyber-attack, generally the reason that they are telling the world is because they were required to by law. The reason for this is that a cyber-attack that results in the loss of personally identifiable information or medical records are the type that must be publically reported.
It’s important for CIOs to realize that the laws regarding mandatory reporting of cyber-attacks vary by state. Additionally, the federal regulations differ by industry and are often vague about just exactly what must be reported. The federal government has taken steps to encourage companies to share the information that they have on security breaches. However, there is nothing that currently compels companies to share the information that they have. The end result is that most companies have generic press releases when they are breeched and often don’t make any announcement if they suffer from an intrusion.
So what should CIOs be doing? What they should be doing is reporting each time that they have a cyber incident. These reports should include both the tactics and the techniques that the hackers used to attempt to get into the company’s network. The result of this would be that there would be greater transparency. This knowledge would allow everyone involved to do a better job of understanding how best to handle cyberrisk. Knowing this would allow decision makers to assess the risks that they are facing in addition to the progress that they are making to defend themselves against these types of risks.
What All Of This Means For You
A CIO is call upon to perform many different tasks. One of the most important of these tasks is the protection of the company from outsiders who want to do it harm. One of the biggest questions that we are currently facing is trying to decide just how much we want to share with the rest of the world about our efforts to battle the hackers who are trying to break into our networks.
As you might well guess, it’s not the first thought of a CIO to throw open the doors and tell the rest of the world when the company has been hacked. Your initial task is to deal with the attack as it is happening. Once it is over, then you’ve got decisions to make. Since very few other CIOs report when their firms are attacked, there is very little information for you to use to determine the scope of the threats that your firm is facing. Some cyber-attacks do have to be reported by CIOs: the ones where customer information was lost. The reports on these attacks are often generic and don’t contain a great deal of information. What CIOs need are complete reports from other CIOs. These reports should contain things like the techniques and tactics used by the hackers. Armed with this information, CIOs would have a better understanding of the types of threats their firms are facing.
CIOs have a difficult decision to make. They need to balance their desire for privacy and the saving of face against their need to understand the scope of the threats that their firms are facing. Becoming more transparent about the types of threats that their firm is dealing with can only help other CIOs. If those CIOs choose to do the same thing, then perhaps CIOs will start to be able to sleep better at night knowing that their network is secure.
– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™
Question For You: Do you think that CIOs should share their threat information with the world or just other CIOs?
Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!
What We’ll Be Talking About Next Time
As the person with the CIO job, it is our responsibility to stay on top of all of the new technology that is out there because we understand the importance of information technology. Our goal has to be to understand how the new technology works and to determine whether or not it can be useful for our company. One such technology that has shown up on the horizon in the past few years is artificial intelligence (AI). What does this mean for our companies and is it a good thing or a bad thing?