CIO's are Chief Officers for Information. This means end-to-end responsibility and accountability for the collection, analysis and dissemination of the most valuable asset in the enterprise — information. While accuracy and timely delivery of the information is important, securing the information that matters is vital. The most valuable asset falling into the hands of the adversaries on the prowl can have disastrous consequences. Hence the role of the Chief Information Security Officer. Hello, CISO! CIOs must stay engaged in a constant dialog with the CISOs to address the security concerns pertinent to their enterprise with the appropriate strategies. CIOs, in other words, must secure their relationship with their CISOs.
So, what are the top five questions that CIOs must ask to effectively ensure information security across the enterprise:
1. Are our frameworks secure enough to combat criminals? Enterprises tend to view the adoption of standardized security frameworks as an adequate measure to address concerns. But these frameworks themselves only serve to give a false sense of security in a world where criminals are steps ahead.
2. Are we taking the right steps to address board-level security concerns? Data Security concerns have escalated all the way to the Board of Directors, based upon this survey cited in a ComputerWorldUK article by Antony Savvas. Proactive risk management is vital to address today’s security concerns. Enterprises must be steps ahead of their adversaries in planning their next move in the game of security.
3. What are the conventional and non-conventional techniques adopted to identify the criminal mindset in advance? Unconventional techniques, such as application of gamification methods and psychological analysis, are augmenting the more conventional techniques today. Benchmarking ourselves in comparison with our peers is another effective approach. How about the inception of recurring cycles of Observe, Orient, Decide, Act (also known as the OODA Loop) into the hacker’s mind?
4. How are we estimating the cost of cybercrime to our enterprise? There are multiple contributing factors here that can be characterized across Loss of Revenue and the Cost of Execution. Knowing this cost is essential to making the business case for the security measures adopted within the enterprise.
5. Guess who is responsible for Cloud Security? Guess again! The ultimate responsibility of ensuring the security of the solutions deployed in the Cloud rests with the enterprise that owns the overall solution.
Interestingly enough, the answers to these questions could vary from one enterprise to another. Nevertheless, posing these questions and having the healthy dialog between the CIO and CISO is a key step to ensure that this relationship is secure.
How about you? How secure is the CIO-CISO relationship within your enterprise? What are other questions that can contribute to this dialog? Please let me know.