5 Assumptions CISOs Make That May Threaten Data Security

Philip Robinson by   03.01.2019   CISO

In many ways the cybersecurity market has been through a period of maturation and growth over the last few years. Broadsheet newspapers are running 10-page features on it, mainstream news programs are discussing it and board level executives are starting to take notice. In many ways, cybersecurity is now mainstream.

However, there is a long way to go yet. Despite the role of the CISO and CIO being given more weight by the rest of the board, many organizations are still struggling to keep their most valuable asset secure; their data. They may have incredible cybersecurity talent and technologies, but they still fail.

Why is this? This may well be because CISOs are assuming that everyone else holds cybersecurity to the same level of importance as they do. It’s assumptions like these that could potentially lead to your data being at risk.

Here are five assumptions that all CISOs should double check to ensure that your data security strategy is as stringent as possible:

Assumption 1: Everyone Treats Data as Carefully as You

Sometimes we tend to believe that everyone understands the importance of good data security and how valuable data is. Unfortunately, this isn’t always the case. I guarantee that there are members of staff within your organization that would easily fall victim to a well phrased phishing email or delete a file without thinking about the consequences.

It can also be dangerous to assume that everyone in your IT/security team knows exactly where the most sensitive data resides within your environment. The people on the front lines who are the most likely to be able to detect a data breach need to know where to look. That doesn’t mean you have to give them access rights, by the way.

Assumption 2: The Rest of the Board Understand Data Security

Cybersecurity effectiveness often breaks down due to poor communication. CISOs may be using acronyms and common cybersecurity terms and assuming that the meaning is registered by the rest of the board. In reality, most people switch off when you start using acronyms and buzzwords. Unfortunately, the world of cybersecurity is full of them!

Simplify how you speak to the rest of the board and talk in terms of risk. If there’s one thing everyone understands, it’s money. If you are able to communicate that your current cybersecurity strategy is likely to cost your business £2 million in non-compliance fines in the near future, they are far more likely to authorize that spend.

Assumption 3: If We’re Compliant Then We Must Be Secure

Security regulations are in place to guide you towards better security practices and processes. However, they are often geared towards very specific circumstances. If you limit what you implement to only what is required from compliance regulations, then you are likely leaving yourself wide open to a variety of internal and external threats.

Treat compliance regulations as a starting point and an excuse for the rest of the board to approve that cybersecurity budget you’ve been wanting.

Assumption 4: More Technology Equals More Security

Often, security teams go out and implement multiple cybersecurity solutions targeted at specific areas. One to defend against external threats, one for privileged access management, one for mobile device management and so on.

Whilst it is important to have security solutions in place that address all of the potential attack surface in your environment, your strategy should be focussed on the thing that matters most, the data. Start with a comprehensive data security platform that can locate and monitor your sensitive data. From there you can build an ecosystem of solutions that tie into this data security platform. This will help give some focus to your technology strategy and make it easier to manage from a day to day operational standpoint.

Assumption 5: If I Do Everything Right, I Won’t Suffer a Data Breach

This is an assumption that is only made by people who haven’t worked in data security for a long time. Most CISOs know that you can do absolutely everything right and still fall victim to a crippling data breach. So, the focus now shifts to how you are able to handle a data breach. Do you have all the right processes in place to detect a breach in progress and mitigate damages? Are the technologies you invested in doing their job? Are you able to inform all affected parties and the appropriate governing bodies when a breach occurs? These are the kind of questions you need to be asking yourself.

If you need help with your cybersecurity strategy, particularly when it comes to making sure you have the right technologies in place, come and talk to Lepide.