Implementing Enterprise Security – Cool Toys Alone Can’t Protect You

There are many great cybersecurity solutions out there.  Firewalls, endpoint protection, encryption, intrusion detection, and data loss prevention make up just a handful of the point solutions at a
CISO’s disposal for countering a cyber attack.  Unfortunately, the tools alone are not enough. There needs to be an executive ownership and accountability aspect to prioritizing and implementing the RIGHT controls to protect sensitive data and information.

People can often be the problem

Have you ever clicked on that ad on your favorite news website promising a beach vacation?  Or, have you ever plugged in a USB device you got at a trade show?  No, of course you haven’t. How many of your co-workers, however, have done those things – or worse?

Suppose each employee at your company encounters 10 such risks per day.  It’s no wonder the news is full of successful data breaches.  The human element will just about always nullify the best security tools.  The bad guys know this and are counting on it to get what they want.  Hacking a system is expensive, time consuming, and inconvenient.  Hacking a person is easy, scalable, and often yields a high reward.

IT alone can fail – executive leadership needs to care

If people are an issue, what can be done to get them in line?  That’s where the executive leadership team comes in.  Leaders must be involved in building, monitoring, and enforcing the organization’s information security program.

The more familiar executives are with the risks, the more likely they are to become IT’s biggest ally.  For example, when executives see tangible examples of how much damage people with administrative rights can do, they’ll be more likely to support tightening up policies around these rights. They’ll feel invested and accountable. If leaders are out of the loop, IT will be left alone to face the consequences of exploited vulnerabilities.

Protecting everything is impossible – protecting what’s important is feasible

Companies know what is sensitive data and what is not.  Whether or not the business has defined and articulated that to IT is another story.  Investing time and energy into protecting and monitoring the vacation tracker spreadsheet is most likely a waste.  Shifting those resources to protecting the human resources database or accounting system puts the controls right where they need to be.

As for cost, you may be able to implement a particular security tool at a lower cost using a focused approach, and then phase in additional, lower-priority targets as the resources to do so become available.  By working with your business partners and prioritizing, you can protect what’s important sooner, while keeping costs to a minimum.

A risk-based approach to building an enterprise information security program is critical to prioritizing and resourcing the program successfully.  Point security solutions do a great job at solving specific problems.  If you really want to lower your vulnerability footprint and provide controls that actually have impact, however, it’s crucial to engage the entire leadership team to work together with IT to implement controls that actually work as well as drive business value.

Want to start a conversation with Arraya’s Cyber Security Practice? Reach out to us at: www.arrayasolutions.com/contact-us. You can also find additional insights, news on our upcoming events, and more on social media: LinkedIn, Twitter, and Facebook.