Can Your Company Survive Without Information Security?
Nobody ever said now that the company is doing well, let’s drop the CEO and CFO and use that money for other things like R&D or new products. But a few companies have asked me when they can stop spending money on information security and on their Chief Information Security Officer or CISO position. My answer is always the same: when the business ends.
While the CEO, the CFO and other executive positions have been around for decades, the CISO position is relatively new and not widely understood. Unfortunately, a company hires a CISO position after they suffer a cybersecurity breach and usually don’t have a proper incident response plan in place. Although many organizations still don’t have a CISO, with new industry compliance requirements and government regulations, others are obtaining one. However, many of them don’t understand what a CISO should do. CISOs should be information security specialists who work well with staff and executives and have a good understanding of how businesses operate. They need to understand the security implications of every action the business wants to take and must be able to explain the risks and rewards, as well as the possible financial impact to the business.
- Make Sure Your Business Ideas Pass the Information Security Test
Since they are constantly changing to meet the latest needs and demands of customers, the best businesses are always asking “What do we do to improve the lives of our clients and employees?” “What’s next?” is discussed at most meetings among C-level executives, and that answer usually has security implications. It’s the CISO’s job to chime in on the risks versus rewards and the ways that new ideas may affect the company financially should it lead to a breach.
When the C-Suite says, “Let’s add a mobile app to allow customers to connect with us,” or “Let’s move data to the cloud where it can be accessed any time,” the network security risks need to be considered as well as the ways to assuage them.
- Know Both Your Information Security and Business Priorities
Ideally, a CISO should be an expert in security and well versed in business to understand and discuss the ways that changes to the business could affect security and costs. CISOs need to speak in business terms and show ways company decisions can affect profit margins. Take a gift company, for example, that is considering adding a new cloud or mobile feature that would allow customers to order easier for upcoming holidays. New features could affect the network security of the business. If the new features were to create vulnerabilities that might allow cyber attackers to breach the network or take it offline during a holiday when gifts are normally given, the attack could cost the company to lose more than half of its annual revenue. Of course, there may be ways to lessen those risks, and the CISO would need to present them as well as their costs.
The CISO’s job is ongoing and doesn’t stop once the company is “secure.” Cybersecurity is just one moment in time, as is the company’s finances and status in the industry. Once the CFO helps the company obtain financial stability, the CEO helps the company obtain top standing in the industry, and the CISO helps the organization’s network security, the jobs don’t end “in order to save money.” To remain in fine standing, organizations need leaders of all types to keep the business growing on course.
- Coordinate Your Information Security and Finances to Work Together
A possible more appropriate name for the Chief Information Security Officer may be Chief Cyber Officer, or CCO. Like the CFO, the CCO must have a supporting cast of employees who consume data from various cyber tools and then analyze the data. Similar to the way CFOs and their teams work, the CCO team’s analysis should enable the CCO to show the state of security that the company has observed in the past, the state it currently is in, and the state of security the company is headed. These analyses are important as they help the CFO and CCO make decisions on what to do next financially and operationally. Without the analyses, they are apt to make uneducated and bad decisions for the company. Poor execution from the CCO function could be as devastating to the business as any poor execution from the CFO.