Posts Tagged ‘compliance’

Poisonous Snakes, Sharp Knives, And Angry Natives: How Much Risk Can You Handle?

Monday, October 19th, 2009
CIOs Know That Security Threats Can Strike At Any Time

CIOs Know That Security Threats Can Strike At Any Time

Ok CIO wannabe, we’re right in the middle of a global financial crisis and your IT budget has gotten slashed so much it looks like Freddie Krueger has come back and had his way with it. What are you going to do about your spending on security programs: cut ‘em, hold the line, or spend more. Whoops – that was a trick question: all of the answers will get you in trouble.

What The Other Guys Are Doing

Before making any big spending decision, any self-respecting CIO will do what all leaders do – try to find out what the other guys are doing in the hopes that you can just copy them. Well, in this case you’ll be getting mixed signals.

A survey done by Information Week magazine revealed that 19% of CIOs are cutting their security spending. On top of that, only 27% of the surveyed CIOs are planning on increasing their security budgets – that leaves roughly 50% doing the same old thing.

Its starting to look as though the final remaining sacred cow of IT budgets, spending on securing the enterprise’s IT assets, has finally fallen under the budget trimming axe. This is an excellent opportunity to learn how to be a better CIO: cut too little and the company goes under, cut too much and the company may get sued when your defenses are breached.

What’s Worse: Poisonous Snakes or Sharp Knives?

Here’s another part of your CIO quiz: when your security budget comes under fire and you know that you’re not going to be able to save the whole platoon, who do you pick to live and who do you let die? Tough call eh? That Information Week CIO survey revealed that most CIOs have decided that any security program that deals with compliance in some way, shape, or form needs to be saved.

In the end, CIOs are finally starting to realize that an effective corporate IT security policy consists of just two things:

  • Managing Risk
  • Protecting Data

Don’t Forget About The Angry Natives -
How CIOs Prioritize

If the job was easy, then anyone could be a CIO. The CIOs who get it, those who understand what effective IT security is really trying to do, know that the first thing that they have to do is to determine the company’s overall appetite for risk. If the company has an appetite for a lot of risk, then the CIO can trim the IT security budget to the bone. Otherwise, cut with care!

Successful CIOs realize that the right way to go about setting up an IT security program is to start by realizing that you can’t protect everything to the same level and so you need to identify what IT assets are the most valuable to the company. Once you know this, you need to take the next step and estimate the likelihood that those assets might be lost.

Only after you have both of these pieces of information can a CIO have the IT team start to create security programs and put systems of controls in place to protect what needs to be protected. Although compliance programs are on everyone’s minds in these tough economic times, CIOs need to keep in mind that such programs are not always in line with security best practices.

Final Thoughts

If you want to have any hope of ever being a successful CIO, you’ve got to learn to be able to make the tough calls when it comes to funding corporate IT security programs. Although putting measures in place in order to make sure that the company remains complaint with regulations is good, it’s not nearly enough.

Taking the time to properly value your corporate IT assets and identifying what kinds of risks this data faces is the critical first step that too many CIOs skip over. Take the time to do this correctly and you’ll be well positioned to deal with poisonous snakes, sharp knives, and angry natives. Now if we could just find some way to deal with those pesky rampaging elephants…

What do you think should be a CIO’s #1 security concern: remaining in compliance or dealing with the security threat that comes from outside?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Ok all you CIOs wannabes, guess what one of your first problems is going to be once you assume control of the IT department? No, not that innovation thing. Nor will it be finding new ways to cut costs. Somewhat amazingly considering that we are living in the enlightened 21st Century — you will need to find more women

http://www.theaccidentalsuccessfulcio.com/wp-admin/

Tags: , , , , , , , , , , , ,
Posted in security | 1 Comment »

Protecting Company Data Is How CIOs Can Make Friends With CFOs

Wednesday, July 1st, 2009

Securing A Company's Data Provides CIOs With An Opportunity To Work With The CFOData Security. There I said it. It sorta lays there like a big lump of coal and everyone in the company stands around looking at it wondering who’s responsibility it is to do something about it. Nobody, including CIOs really wants to touch it for one very simple reason: it’s a losing proposition.

How To Make Friends With Your CFO

Data security, despite being big, heavy, and ugly, always seems to end up in the CIOs lap. Since you really can’t do anything to prevent this, it sure looks like this is  a great opportunity to try to turn a liability into an asset. Ericka Chickowski over at Baseline magazine has taken a look at this issue and come up with some interesting ways to help CIOs work more closely with CFOs. It all starts with compliance. Now compliance is just about as exciting as security; however, firms are willing to spend the big bucks on making sure that they are compliant because they know that there are potentially some big financial penalties if they don’t. It is the clever CIO that sits down with his / her CFO and explains that the company’s data security program can be thought of as an extension of its compliance program. What this means is that you don’t really need a separate program and your costs should be much lower. What CFO wouldn’t be interested in hearing that?

Get Your Priorities In Order

One of the things that the CIO can learn from the compliance side of the house is that a critical first step is to make sure that you prioritize the company data that you are going to be protecting. All data is not created equal! What’s interesting here is that the importance of any single piece of information is based on two things: its value to the company and its role in keeping the company compliant. If your firm was a hospital, then clearly an electronic patient record would fall into the “top priority” bucket .

Act On Your Priorities – Not Necessarily Your Compliance

The level of protection that the IT department needs to surround a given piece of information with will depend on the result of this prioritization. I hope that you realize that this is just a fancy way of saying that there is some company data that you DON’T have to protect (or at least not very much). Just about now you’d expect me to say that you should always go all out to protect ALL of your company data that is involved in a compliance program. But I’m not going to do that. Chickowski points out that not all regulations are created equal. In fact,  some have fairly weak “teeth”. These are all things that the CIO and the CFO need to understand as they create a data protection plan / compliance program for the company. Spend those limited budget bucks to make sure that the important data is secure and then do what you can for the rest

Final Thoughts

Within the company, the CFO ALWAYS wields more power than the CIO – money talks. Folding a company’s data security program into its compliance program is a great way for a CIO to work closely with the CFO and end up saving the firm money (always a good thing) and ensuring that it is both compliant and its data is secure. In addition to providing a CIO with a reason to talk to the CFO that doesn’t involve begging for more money, an agreement about securing the company’s data can allow CIOs to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Questions For You

Does your company have separate compliance and data security programs? Does your CIO talk with the CFO about how best to secure the firm’s data? Do you prioritize your data or is it all treated as being at the same level of importance? Leave me a comment and let me know what you are thinking. Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

The role of a CIO is to find ways to apply IT to enable the rest of the company to grow quicker, move faster, and do more. As part of this task a CIO needs to take steps to ensure that nothing happens that would prevent this from happening. This side of the job is not nearly as glamorous; however, it is at least as critical. What can a CIO do to ensure that nothing bad happens to a firm’s IT systems?

Tags: , , , , , , , , , , ,
Posted in security | 1 Comment »