The Obligations of the CIO in Today’s Cyber War
by Greg Moran
The CIO job is a tough one these days…
You have to be a strategist, a budget hawk, a peace-maker, a people leader, a police captain, a friend and an evangelist. Wow…that’s a lot of hats to wear and I’m only scratching the surface — there are more!
The role I want to focus in on today is the police captain role. That’s another job role that requires a lot of hats…at least the CIO role doesn’t involve life and death!
If you are CIO in a regulated business (as many of our clients are), you find yourself in an almost untenable position. You have to cut IT spending year over year while facing a climate in which cyber risk is escalating rapidly and regulators are increasingly requiring that companies deploy all possible solutions or risk being found negligent in the event of a breach (even if no customers are harmed).
Don’t take my word for it…in the aftermath of a breach at Bank of America, Forbes reported this conversation with Brian Moynihan, Chairman and CEO:
… Bank of America Corp. CEO Brian Moynihan said the nation’s second largest lender would spend $400 million on cybersecurity in 2015… and it was the first time in 20 years of corporate budgeting he had overseen a business unit with no budget. Moynihan said the only place in the company that didn’t have a budget constraint was cybersecurity.
And from the California Attorney General:
The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
Check out the 20 controls…they are pretty comprehensive and if there is a technology available to you that helps address the list of controls and your organization is not using it, you are putting your organization at risk in the event of breach (not to mention increasing the odds and risk of the breach itself).
If any state AG finds you negligent, you risk painful fines, consent decrees and almost guaranteed class action suits.
Aware doesn’t have all the answers to these tough questions, but we do help with one critical aspect — securing your enterprise social network. The internal bad actor threat is a top 5 concern for every organization.
One of the places you can anticipate risk is on the enterprise social network.
First, you can ensure that limited risky data is posted on the internal network — and you can torque down the screws as tight as you want with customized policies.
Second, you can make sure that the enterprise network doesn’t contain smoking ‘bad behavior’ guns — again with customized policies.
Finally, the piece de resistance — the ability to see patterns of conversation and behavior across your enterprise network — an early warning system for disgruntled members of your organization.
Aware is your window into the virtual water cooler and lunch table — that’s where people speak their mind. The implications are obvious.
Learn more about securing your collaboration network with Aware's legal operations checklist. Watch the webinar now.