Image

“Alarmingly, the economics favor the bad actors. A team of three or four hackers can extort $30,000 to $40,000 a day via ransomware.” –Anup Ghosh, Founder of InvinceaNot all security breaches are the result of hacking. Evidence the recent release of 198 million voter records by a company providing services to the Republican National Committee. Hackers weren't responsible for the release of the voter records – sloppy handling of the information was the cause. Making matters worse, the technical security environment is getting more complex, not simpler – there are more companies providing more security solutions. The critical factor in mitigating these security matters is a comprehensive corporate security program. The key to such a program is a Chief Information Security Officer (CISO). Unfortunately, CISOs with the appropriate mix of skills are in short supply. The breadth of skills required of the CISO includes:
- Management presence and the executive skills to effectively lead, develop, communicate, and sell the security program;
- A deep technical awareness of the security ecosystem;
- The ability to effectively lead the technical experts.
What can you do?
First, you need to hire the right CISO. It's likely that the executive suite will need help to vet the right candidate. Hire an expert to help you. A misstep in hiring will result in a substandard security program. A CFO recently told us that they wished they had retained someone to help with the interviews. As the CFO put it, the fees would have paled in comparison to them making the wrong hiring decision, paying the salary and benefits, and correcting the technical direction once they realized their mistake. Second, implement a comprehensive security program that follows one of the several industry standard frameworks. Third, make sure you don't ignore the human element. Insider threats, due to negligence or intent, account for almost one-third of all security breaches and exposures. Lastly, you need to treat the CISO’s mission as a C-level role. Involve the corporate leadership in oversight and decision-making with the CISO. Embrace the security program and make sure everyone else does, too. Get the right CISO and provide the right support, and you will be on your way to an effective security program.Image
