Businesses find themselves in many different stages of development when it comes to information technology and security. Smaller businesses may not have anyone on staff dedicated to IT or security. Those functions that go beyond basic computer knowledge that the resident computer savvy go-to person can’t handle are outsourced. Slightly larger businesses may have an IT department but no dedicated IT Security staff. After all, security is the responsibility of everyone.
Enterprises should have dedicated IT security staff and C level management in a Chief Information Security Officer (CISO). In every one of these business types, security compliance must still be driven from the very top of the organization, be that the owner or CEO. This is rarely the case, however, as described by Joel Brenner in a blog article for Harvard Business Review. Everyone likes to point fingers elsewhere, and in the current environment which all but ensures that the CISO is expendable, it is easy to see why this is the case.
There are several important reasons why security compliance must be driven from the very top of an organization. First, it must be clear that no one is exempt. Second, it must be clear that it is important. Third, it must be clear that those enforcing policy are acting on behalf of the CEO.
No one is exempt from security, yet we have all seen this happen before. Company policy requires that only certain expenses be paid by the business, yet there is an exception for certain people. Everyone is allowed to have only one monitor, yet some people always end up with two or even more. The company provides only one model of phone, yet the CEO and friends have something better. Company policy requires everyone to be badged and scan in when they arrive, however tailgating is still a common practice. Who would shut the door in the face of their own manager rather than hold it open? Common human behavior is to think rules apply to people other than themselves, that for some reason they are above the law, too smart to be conned by a phishing email, or be compromised.
Security is important, and everyone needs to understand that. To demonstrate, it is best to describe what happens when not enough attention is paid to security. The chain store Target is an easy example, mainly because so many people heard about it and were affected by it. The credit card breach has certainly affected their bottom line, but they are big enough to continue on in spite of it. A breach like this makes management look bad, makes the business look like it does not care about its customers, and is a public relations issue. Smaller businesses could be destroyed by a similar event. Breaches that involved more sensitive data about people may involve lawsuits, doing even worse harm than just putting someone out of business.
It must be clear that those enforcing policy are acting on behalf of the CEO. Too often those who enforce policy are put in the position of the bad guys. The perception is that these are the people who make it difficult to get work done. They only add red tape on top of things that otherwise should be easy to accomplish. Their software and scanning slows down PCs and their web blocking makes it more difficult for employees to stay connected to friends and family while they are at work. To combat this, regular all-hands meetings or communications from the CEO should include a security update, and the CEO should speak to current initiatives regularly. Getting everyone on board with the company’s goals and directions is part of the job of the CEO.
The role of the CISO, be that an actual CISO, the IT department, or whoever is in charge of Information Technology, must report directly to the CEO on recommendations for security. This not a suggestion that the CEO must take on the role of the CISO. In fact, the CISO position should provide the narrative for the CEO in order to ease the burden of security as much as possible from the shoulders of the CEO. Is your business struggling with this relationship and this process? Are you part of an understaffed IT department that is trying to take on more roles and projects than you have time for? Are you taking on the role of the CISO in your organization and feel overwhelmed? Chi Corporation can help ease these burdens and provide guidance or even assume aspects of the CISO role for your organization. Contact us to find out how we can help!
Paul Comfort
Senior Systems Engineer
Chi Corporation
@PCComf
440-498-2300
