When It Comes To Cybersecurity, What Should CIOs Be Worried About?

What should be keeping CIOs up at night?
What should be keeping CIOs up at night?
Image Credit: Richard Patterson

Let’s face it: it is becoming harder and harder to keep the company’s IT assets and its network safe from people who want to do you harm. The threats are relentless and they just keep getting stronger and coming at us from all directions. Additionally, what could happen if the bad guys do get in can now be disastrous because of the importance of information technology when you consider how much customer data can be lost, how many corporate secrets can be lost, and then the threat of lawsuits because of the breech. As CIOs we probably should not be sleeping very well at night and here are the reasons why.

Just Exactly How Exposed Is Your Company?

Based on all of the monitoring systems that you already have in place, by now you should have a ton of data on your network’s vulnerabilities and how often people try to break into your network. However, even with all of this data there is one question that you probably still can’t answer: just exactly how much risk is your company really facing right now? All of your risks have to be managed; however, before you can do that you are going to have to first quantify your risks.

This all sounds like a good idea, but its hard to do. One of the biggest issues is that there is not currently an accepted way to measure how healthy your company’s cyber defenses are. There are some industry standards for such things such as those published by the National Institute of Standards and Technology. However, since every company’s network is different this means that the risks that you are facing are unique and you have to come up with your own set of metrics. One way to communicate IT risks to the rest of the company is to rank them on a scale from 1-15. It is possible to use information from a security-rating firm to benchmark yourself against other firms. However, this data may not provide company management with a complete picture of where things stand.

A better way to go about measuring how exposed your company is can be to monitor how much of the software that your firm uses has been updated to the latest version of the software. What this should reveal to you is just exactly how effective your company’s patching procedures are. This is important to know because a patch can fix a vulnerability that hackers can use to gain access to your network. The person with the CIO job can also track the speed at which significant intrusions are detected. Your goal here should be to see that your company’s times are improving steadily and they should also compare well to industry averages. The last thing that you want to discover is that there was an incident that had existed for a long period of time.

Who Is Permitted To Gain Access To What Data?

So what are some of the biggest issues that the person in the CIO position needs to be worrying about? It turns out that as your network comes under more and more assaults, a significant vulnerability is starting to show up more often: employees who log into company computers remotely and who sometimes use their own devices to do this. The bad guys know that all of this is going on. What this means is that they are starting to go after any vulnerable points that may lie beyond your corporate walls. As a CIO what this means for you is that the areas of controlling access to networks and managing user accounts is starting to become one of the areas where CIOs are going to be spending a lot of money in the near future.

How can these portals into the corporate network be secured? One way to accomplish is to implement a strategy that is called “zero trust”. Using this technique, users are given access to a portion of an application or a data set. This is instead of providing them with access to your entire corporate network. All of this is accomplished by using strict identity-authentication processes. As an example of how this would work, if a sales representative logged into your network, they would not be permitted to access human resources applications or data. This is unlike the situation that a lot of workers find themselves in today where once they log in, they have full access to everything on the network.

There are other security techniques that can be used to limit access to the corporate network. One such technique is called two-factor authentication. These types of systems used biometric tools to identify a user such as a fingerprint reader or a facial recognition scanner. These are only the beginning of sophisticated systems that are designed to recognize individual users. New products are currently being developed that will permit a user to be identified based on how they choose to interact with their computer. This can include such things as how they hold it, how they type on its keys, and how they use the cursor.

What All Of This Means For You

On top of all of the other things that a modern CIO is expected to take care of, it turns out that keeping the company’s data and networks safe from outsiders who want to break in is a top priority. However, the people who are trying to break in keep getting better and using better tools. What this means for CIOs is that going forward we’re probably not going to be getting very much sleep!

One of the fundamental questions that CIOs have to find an answer to is just how exposed are they? You are facing a lot of different risks, but you will first have to prioritize your risks so you know what to deal with first. One of the biggest challenges that CIOs face is that there is no acceptable way to classify just exactly how much risk you are facing. The goal is to find a way to be able to update the rest of the company on the current status of your risks. What many CIOs do is to monitor how good of a job they are doing with patching software and how long it takes them to respond to a break in. Workers who access the corporate network remotely are a large security vulnerability for CIOs. CIOs can secure their network by implementing a “zero-trust” policy that limits what remote users can access when they use the network. Biometric tools can be used to implement two-factor authentication. New tools are being developed that will do an even better job of confirming who is accessing the network.

The key to being a successful CIO is to always be on your guard. The bad guys are always out there looking for ways to break into your network and steal your data. Realizing this means that you now know where you are going to have to spend your time in order to harden your network. Making sure that your employees can access the network to perform their work while keeping the bad guys out is the key to being a CIO who gets the job done!

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: What steps should a CIO take when a break in of the corporate network is detected?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

Let’s agree on one thing: the people who work at your firm are smart people. Right? There’s no way that they would fall for one of those phishing attacks that we read about in the paper all the time. Or is there? As the person with the CIO job, one of your biggest issues is that the bad guys who are attacking your corporate network are getting more sophisticated, more prevalent, and more dangerous every day because they understand the importance of information technology. These bad guys come in all sorts of different forms. Organized criminals attempt to steal your financial records, terrorists try to encrypt your systems as a part of a ransomware attack, and even whole countries are trying to gain access to your systems so that they can lay there dormant until it suits them. What’s a CIO to do?