The frequency and magnitude of security breaches continue to rise. Target, LinkedIn, Home Depot, Twitter, Wendy’s, Sony, and the list is growing. Even more worrisome, many breaches go unreported or worse yet, undiscovered. C-level executives are increasingly concerned with protecting their companies from security breaches. LightEdge’s Chief Security and Compliance Officer, Jake Gibson, explores what questions C-Level executives are currently asking in regard to security and what we should be asking. With the spotlight on Information Security, business leaders are asking:
- Are we protected?
- What gaps do we have?
- Are we a target?
- What should we be protecting?
- We have a firewall and Antivirus software, isn’t that enough?
A firewall and Antivirus software were once considered a solid security strategy. While these are still good practices, this strategy is like locking your car doors. It keeps us from being an easy target, but will not protect us from the level of sophistication today’s cyber criminals have at their disposal.
Instead, we should be asking:
“What is our Information Security plan?”
Information Security is no longer just an IT problem. I propose designating a security task force for your organization who will work together to develop a comprehensive security plan. This group should represent a cross section of your company; including the executive team, business line managers, Information Technology, Human Resources, and Finance to name a few.
The first mission for your security task force should be to document your company’s information security risks. A thorough risk assessment identifies potential threats and vulnerabilities your organization may have, so you can then develop your plan and prioritize your efforts.
Developing an Information Security plan can be overwhelming, but we don’t have to start from scratch. ISO 27001, HIPAA, PCI, Sarbanes-Oxley, NIST and other regulatory frameworks provide excellent guidance. At a minimum, an information security plan should include the following:
- Risk Assessment
- Risk Treatment
- Security Controls
- Information Security policies
These last two are critical to the long-term success of your plan:
- Employee awareness program
- Continual improvement
By developing a comprehensive, risk-based information security plan, we become proactive rather than reactive to information security events.