"As we continue to improve in certain areas, the bad actors don't go away," Nai says. "They don't go out and get legitimate jobs. They simply move to another attack vector."
The board will see you now . . . and now . . . and now
Just about all of the security professionals and CIOs interviewed for this article said they expect to put more emphasis on communicating with their boards in 2016.
"Three years ago, unless there was a breach, a person in this role would rarely get to talk to the board. Now it's not unusual to talk to the board once a quarter," says a manufacturing company CIO who requested anonymity. "They're trying to evaluate risk, and they want to feel confident that I'm putting measures in place that are cost-effective and protect the company."
Darren Van Booven, cybersecurity officer at the Idaho National Laboratory, says the success of a risk management and security program hinges on IT leaders having access to, and the ability to communicate with, senior executives.
"It's imperative to understand the business of the organization," he says. If you don't, you can't articulate risks in a way that the leadership understands. "If you hear CISOs saying they're not being listened to, that's why," Van Booven says.
In addition to board members, Van Booven meets with most senior managers to share information and provide training.
"This peer-to-peer meeting between Darren and other senior leaders has made a big difference in their commitment [to security]," says information management program integration director Hortense Nelson. "That personal element is very important."
Security outside the walls
Beyond internal communication, IT leaders like the manufacturing company CIO find themselves increasingly working outside the company's walls -- with supply chain partners and their boards, in his case. The CIO has drafted a security questionnaire that he is proposing be added as a regular part of the vendor management process.
Dave Cooke, director of technology at Altum, a Reston, Va., consulting firm and software-as-a-service provider, has been on the receiving end of such questionnaires and says he is seeing an increase in their use by client companies. Altum's customers are large foundations and other organizations that give out grants and use Altum's grant-tracking software service to monitor distributions and how recipients are using funds.
"When we get a client that wants to sign up for our service, they send us a security software questionnaire. We have to answer a litany of questions before they consider us," says Cooke. "We've seen an uptick of these in the last 18 months. They help us because we figure if they're asking these questions, we need to take the same [issues] into account." - Julia King
This story, "Forecast 2016: Security takes center stage" was originally published by Computerworld.
Source: CSO Online
Sign up for CIO Asia eNewsletters.