“Every company today is at huge risk of losing sensitive, privacy-protected information to hackers. Every company today … is susceptible to state actors attacking their systems to get very sensitive, proprietary business information. And every company today, to some extent or another, is at risk of having their public-facing systems taken down through denial of services attacks.”
Michael Leiter, former director of the National Counterterrorism Center and a presidential advisor on cybersecurity, painted a sobering picture of the IT landscape in his recent Microsoft Virtual North America CIO Summit Q&A. “When I left government three years ago and I would talk to Fortune 500 CIOs, about a third to a half thought that cyber threats were really significant. I don’t think that’s the case today. I think 100 percent understand.”
A CIO’s job is to lead the charge for securing data. This effect means convincing the rest of the C-Suite to invest in and prioritize protection efforts. First, the CIO must engage with other executives to learn what information would give competitors a huge advantage—material that would be the most painful (or even fatal) to lose. Then Leiter advises finding “a set of case studies of other companies who are similarly situated [that outline] what they did and about how they were still penetrated.” These real-world examples can act as a wake-up call for colleagues who are convinced that a little effort is good enough.
Careful monitoring of those often-protected connections can help IT departments spot a problem before it turns into a nightmare.
Leiter reminded attendees that technology is only as good as the people who are using it, so the bigger problem can be educating employees about smart behaviors: “You can set up perfect technology, perfect defenses … [and] it’s still going to turn out that if you have an employee that clicks on a PDF file [that] has a sophisticated, advanced persistent threat embedded in there, technology probably isn’t going to save you.”
In fact, Leiter says the two biggest mistakes a CIO can make are forgetting about internal risk and failing to carefully monitor those entities just outside the immediate corporation that still tap in to a company’s IT environment (such as suppliers, lawyers, and equity firms). Spend time auditing the access levels and close open pathways that aren’t regularly used. And although controlling the security of external partners is unrealistic, careful monitoring of those often-under-protected connections can help IT departments spot a problem before it turns into a nightmare.
Smaller companies aren’t immune to these vulnerabilities, and cloud-based information storage can be a good avenue to explore. “The cloud doesn’t solve every problem,” Leiter said, “but I think, to smaller organizations and nonprofits, the cloud is a really, really valuable way of investing effectively in security.” His reason? Large IT providers have the time, resources, and money to spend on advanced systems that the average small business simply can’t afford.
Leiter returned to one notion several times: as the information game changes, storytelling is a critical skill for a successful CIO. A convincing narrative about potential dangers, best practices, and, yes, horror stories can persuade everyone—from the guy in the facilities department whose mom sends him email forwards to the executive who is reluctant to loosen the purse strings—keep information security top of mind.
How has your CIO convinced the C-Suite to prioritize information security? Tell us on Facebook.