So how can enterprises get from where they are today to having a cohesive, funded and fully implemented information security program? IT leaders and analysts share tips for navigating these muddy waters and protecting the organization from threats.
About a year ago, customers of sales and marketing advisory firm SiriusDecisions started asking questions about the security of the information they share with the Wilton, Conn.-based company. With all the news about data breaches, they were concerned that a weak link might jeopardize the competitive intelligence they shared.
Vice president of IT Jonathan Block knew the firm’s infosec policies and procedures were sound. SiriusDecisions operates entirely in the cloud, relying on big-name vendors whose security practices far exceed what the firm could do on its own. But he says the growing number of client inquiries, along with a slew of highly publicized security breaches at other companies, “lit a fire under us,” underscoring the importance of information security both internally and for the firm’s clients.
Today, SiriusDecisions shares detailed information with customers about its service providers’ security certifications and audits, trains every employee on information security awareness, especially social engineering — its biggest threat today — and earmarks 10 percent of its IT budget specifically for infosec initiatives.
Asked to grade the firm’s efforts, Block says, “I’d give us a solid B. Our goal is to try to get ahead of a lot of these things. The frequency and severity of attacks are always going to increase, but we’ve identified the type of attacks that do the most damage, and we focus our efforts on those.”
Create a communication channel
At Wells Fargo, executives are much more knowledgeable about information security than they were four years ago, says chief information security officer Rich Baich, who became the bank’s first CISO in 2012.
Much of the improvement centers around better collaboration and communication between technical and nontechnical staff, business units and executives, he says. To help get there, Wells Fargo realigned its security hierarchy. In January 2015, Baich began reporting to the chief risk officer instead of the CIO to emphasize security’s risk-based focus and to improve transparency with the board of directors.
“I’m not in technology,” Baich says. “[The new hierarchy] allowed us to effectively create a communication channel that helped people understand the language of security, the importance of security, how it fits into the larger, overall risk management construct — and ultimately helped drive and make this part of our culture, [in which] every individual team member is a risk manager.”
Sign up for CIO Asia eNewsletters.