CISO of 2016 – Balancing Prevention and Remediation

If last year’s leaks, hacks and breaches have taught us anything, be they from Fortune 500 companies or our own personal accounts – it is that cyber security, especially concerning email management, is now a top priority.

Before we get further into what promises to be the biggest year ever for matters of mail security and onward, it’s worth reflecting on one of the most useful pieces of research published last year - PwC’s The Global State of Information Security Survey 2016. The research found that in 2015, 38% more security incidents were detected than in 2014 (the total number of global security incidents was revealed in the last PwC survey of the same name to be equivalent to 117,339 per day).

CISO image

It’s therefore of great relief to note that this year’s report confirms that the majority (54%) of organizations have a CISO (i.e. Chief Information Security Officer) in charge of the security program. In recent years there has been a sharp rise in the number of CISOs being created and a few companies, recognizing the critical task of defending the company, its assets and its employees, have smartly made their CISO a member of the C-suite.

Hiring a CISO is the first step, but once in place, they’ll have their work cut out for them assuring the CIO, CEO and the wider company that the focus of cyber security should always be heavily weighted towards prevention e.g. email data loss prevention, rather than wholly on incident response  e.g. a spear phishing attack.

That being the case however, what can make the difference between having a problem and suffering a disaster is advance planning and preparation. In addition, more often than not, what can really save a company is how its CISO responds.

A toolkit for industry-standard security should include plans for email continuity and outages (in terms of system, network, facilities and staff) and one over-riding ‘Highlander’ (there can be only one!) Emergency Action Plan that acts as a master checklist and parent to all other emergency and continuity plans. Once those plans have been developed, they should be practiced, frequently, both on paper, on a desk and in real-life, until all those with a part to play are comfortable that they’d be able to act swiftly and decisively should the worst happen.

Technology is another key factor. However, while it may be wise to invest in the best products and services available at the time of purchase, it’s also necessary to use it to constantly assess and reassess elements of the company’s infrastructure, whether it be its email infrastructure, local network architecture, etc. Any weaknesses found will undoubtedly be exploited, so if a CISO is lucky enough to come across them before any cybercriminals, they should be protected and patched immediately. The fit-and-forget mentality is no longer acceptable, as technology and protection date very quickly.

And finally, it also comes down to the employees. Provide them with the best tools you can, educate them about the dangers of spear phishing, weak passwords and public Wi-Fi hotspots – if you show them how to protect themselves, they will be protecting the company at the same time. By using the best protection, technology, education and training possible, you’re closing as many of the exploitable holes—be they in the network, software, people or process.