CIO's Realize That A Good Security Program Requires A Good Set Of Policies
What does it take to do a really good job of securing your company’s systems and data? Is it just a matter of picking and implementing the right software or hardware solution? Is there a consulting firm that you can pay millions to who will come in and take care of this problem once and for all? Bad news – the answer is no.
How Policies Make A Security Program Work
Securing a firm’s systems and data is a daunting task. The first step to successful doing this is to develop a risk management program that captures and describes all of the various internal and external risks that your firm is currently facing. Next comes the prioritization which allows you to determine which of these risks is most likely to affect your firm – all risks are not created equal.
Once you have prioritized the risks that your firm is facing, the CIO needs to step in and make sure that a program of actionable policies is created in order to secure your systems. All too often, this is the step that gets skipped and no matter how much technology you throw at the security problem, if you don’t have a good set of polices you’ll never be able to secure your systems.
Polices Secure Your Systems From Day-To-Day
What too many CIOs tend to forget is that the key to any company’s security program is the human element and you manage this by having a clearly understood set of policies in place. Creating the policies is a first step, making sure that everyone knows about the policies and is living them are the next steps.
Kevin Mitnick is a reformed computer hacker who tours the country talking to businesses about the importance of securing their systems. I had an opportunity to hear him talk recently and it was amazing to hear how he acquired the information that he needed to break into company computer systems.
Kevin used a technique called “social engineering“ in which he would basically call up someone and ask them for sensitive system information. No matter if the firms had a corporate security policy in effect, Kevin was basically able to get the people that he called to violate it. No, they weren’t angry with their company, they were just trying too hard to be helpful. That’s what can happen if you don’t have security policies that are well known by everyone.
Final Thoughts
Doing a risk analysis and prioritizing the results is easy for IT professionals to do. However, creating policies that need to be followed by humans and then actually convincing their coworkers to follow the policies can be a real challenge.
A CIO can ensure that security policies will be successful by publicly stating his / her support for the policies and then by following them. Everyone will know if the CIO takes the polices seriously and by showing that you do, you will have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.
Questions For You
Does your firm currently have security policies in-place? Have these policies been communicated to everyone? Do they understand them? How can you tell if they are following them? Are you following them? Does anyone know that you are following them? Leave me a comment and let me know what you are thinking.
Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
What We’ll Be Talking About Next Time
So picture this: you’re a CIO and you desperately want to be seen by the rest of the C-level executives as something more than a simple cost center. What to do? If only there was some way that you could tap into all of that incredible creative energy that we all know lives in the IT department…
. If you’ve never read the book, I can recommend it. In a nutshell, Mitnick was a hacker who had evaded capture until he ticked off Shimomura who is a computer security pro. After he did that, Shimomura went after him with a vengeance and eventually helped the authorities catch him and send him to jail.
and 
.
