(Post 11 of the 12-week Information Security Management blog series)
Much like our skin is a protective barrier for our bodies, leaders shield their organizations from threats. The risk-based decisions that leaders make directly effect how susceptible to threats their companies are. Some decisions increase risk while others can greatly reduce it.
Similar to how varying types of sunblock protect one’s skin to different extents, the degree to which leaders and mangers support security can mean the difference between real protection and, well, getting burned. Leadership support of security is dependent on three key things: that they sanction security, practice security, and fund security. This is something I call your information security SPF.
Sanction Security
It is critical that business leaders formally implement security within their organizations. This is done in the form of policies and standards. Policies are essentially high-level statements of senior leaders’ positions and expectations related to particular topics. Standards simply explain how policies are to be implemented. By creating, implementing, and enforcing security policies and standards, senior leaders and managers establishes their commitment to security. They tell all employees that security is important to the organization’s success and that their leaders take it seriously.
Practice Security
Simply creating security policies and telling employees to follow them doesn’t go very far if the organization’s leaders won’t follow them. Security is only as strong as its weakest link and because of their high level of access, managers and executives are common targets. Their credentials often have broader access to valuable information than lower-level employees. Even simply exploiting leaders’ positions to get to administrators or people with sensitive access can be easier than trying to compromise those employees directly.
Leaders who strictly adhere to their own security policies and standards make their security programs stronger simply by practicing security. An added benefit to this is that by strictly adhering to their own policies and standards, leaders reinforce their commitment to security with their employees. It makes a statement that leaders consider security important and sets an example for their employees to follow.
Funding Security
Having policies and adhering to them are essential elements to having a fully functional security program that properly protects your organization, but security isn’t free. Technology must be maintained, updated, and replaced when it becomes antiquated. With technological capabilities also comes vulnerabilities and risk that must be addressed. Addressing risk in order to provide security costs money.
The technological solutions to defend against vulnerabilities cost money. Transferring risk to a third party means paying them to provide a capability for you. Eliminating risk means a loss of the capability all-together. Simply accepting risk is cheap unless the related vulnerabilities are exploited, then it can become very expensive.
Organizations should budget for cybersecurity. This includes paying for assistance in implementing and managing security programs, purchasing and maintaining security products such as anti malware and intrusion detections systems, and contracting with business service providers who offer the highest degree of protections. Also, managers need to plan for technology upgrades to ensure they are not stuck using products that are no longer updated and supported. Finally, organizations should employ administrators that are properly trained and qualified to maintain the technologies the organization uses.