You would be surprised to know how many CISOs and CIOs start implementing a security plan without reviewing the policies that were already in place
CISOs and CIOs are responsible for the implementation and management of security plans in an organisation.
Here we have have listed the five top steps that you need to take into account at the time of implementing one.
Assess the current state of the security environment
It might sound obvious but you would be surprised to know how many CISOs and CIOs start implementing a security plan without reviewing the policies that were already in place in an organisation.
It’s important to assess previous security strategies, their (un)effectiveness and the reasons why they were dropped out. Was it a problem of implementation, lack of resources or maybe management negligence?
Once you have reviewed former security strategies it is time to assess the current state of the security environment.
Has it been maintained or are you facing an unattended system which needs basic infrastructure work? Are there any protocols already in place? How security-aware are your staff and colleagues?
Use risk registers, timelines, Gantt charts or any other document that can help you set milestones, track your progress, keep accurate records and help towards evaluation.
A master sheet is always more effective than hundreds of documents all over the place and helps in keeping updates centralised.
The making of a chief security officer
Set security measures and controls
Once you have determined all the risks and vulnerabilities that can affect your security infrastructure, it’s time to look for the best solutions to contain them.
Prevention, detection and response are the three golden words that should have a prominent position in your plan.
In the case of a cyberattack, CISOs and CIOs need to have an effective response strategy in place.
It should explain what to do, who to contact and how to prevent this from happening in the future. Keep good records and review them frequently.
CIOs are responsible for keeping the data of employees and customers/users safe and secure. Familiarise yourself with relevant data protection legislation and go beyond it.
While meeting the basic criteria will keep you compliant, going the extra mile will enhance your reputation and integrity among clients and colleagues.
As we suggested above, use spreadsheets or trackers that can help you with the recording of your security controls.
Make them live documents easy to update, always keeping records of past actions: don’t rewrite, archive.
Ensure end-to-end security at every level of your organisation and within every single department. Protect files (digital and physical) from unauthorised access.
Create a data map which can help locating where and how files are stored, who has access to them and for how long they need to be kept.
You might have been hoarding job applications for the past 10 years but do you really need them - and is it legal to do so?
In a mobile world where all of us access work email from our smartphones or tablets, BYOD policies are as important as any others regulating your office activity.
Make sure that you cover all sort of actions involving the data that your organisation handles.
Depending on your sector you might want to focus your security plan on specific points. Whereas banking and finance services need an excellent defence against fraud, internet or ecommerce sites should be particularly careful with DDoS.
In any case, cybersecurity hygiene and a comprehensive anti-data breach policy should be a must for all sectors.
Create a dynamic security culture
This is probably the most important step in your security plan as after all, what’s the point of having the greatest strategy and all available resources if your team it’s not part of the picture?
As a CISO or CIO, it’s your duty to carry the security banner and make sure that everyone in your organisation is well informed about it.
Make training available for all staff, organise refresh session, produce infographics and resources, send regular emails with updates and reminders…
Security starts with every single of your employees - most data breaches and cybersecurity threats are the result of human error or neglect.
Whereas you should be watching for hackers not infiltrating your system, a member of staff plugging a USB device found on the car park is equally harmful.
Use your imagination: an original poster might be more effective than hours of death by powerpoint training.
Emphasise the fact that security is everyone’s responsibility and that carelessness can have devastating consequences, not only economical but also in terms of your business reputation. Data breaches are not fun and can affect millions of people.
Securing the business and educating employees has been cited by several companies as a concern. Telefonica O2’s CIO Brendan O’Rourke sees cybersecurity as a key issue for every organisation.
“I think it’s important that we make it very clear to the executive teams what is going on in security and their online activity,” he said. “It will demonstrate how attuned staff and executives are with technology and how aware they are with the security issues.”
Awareness is the key!
Use your imagination: an original poster might be more effective than hours of death by powerpoint training.
Review your budget
Yes, unsurprisingly money is a determining factor at the time of implementing your security plan.
Whereas changing passwords or encrypting documents are free, investing in adequate hardware or switching IT support can affect your budget significantly.
Computer security software (e.g. anti-spyware, intrusion prevention system or anti-tamper software) are sometimes effective tools that you might need to consider at the time of drafting your budget.
Prioritise: while antivirus software or firewalls are essential to every single organisation that uses a computer, security information management (SIM) might not be relevant for a small retail business.
Be realistic about what you can afford. After all, you don’t need a huge budget to have a successful security plan. Invest in knowledge and skills.
Plan your response to digital extortion in advance
Collaborate with colleagues and stakeholders
Although it’s your skills and experience that have landed you into the CISO or CIO job, be open to suggestions and ideas from junior staff or customers - they might have noticed something you haven’t or be able to contribute with fresh ideas.
CISOs and CIOs are in high demand and your diary will barely have any gaps left. Build a closely-knit team to back you and implement the security changes you want to see in your organisation.
Make use of the different skills your colleagues have and support them with training.
Bank of England CIO Robert Elsey thinks that talent can come from all types of backgrounds: "It starts to show the different qualities you need," says Elsey. "It's not just coding anymore. There's everything from business case history to the climate and sponsoring initiatives. We've got people from all kinds of different backgrounds now working in technology and it's making it a much better place.”
Successful projects are practically always the result of effective team work where collaboration and communication are key factors.
Transparency is another crucial asset and it helps towards building trust among your peers and stakeholders.
Collaborating with shareholders, CISOs, CIOs and business executives from other departments can help put a secure plan in place while also meeting the security standards of the company as a whole.
Follow CIO New Zealand on Twitter:@cio_nz
Sign up for CIO newsletters for regular updates on CIO news, views and events.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.