Considering how the past few years have gone, it came as no surprise that the first half of 2017 has already been a terrifying ordeal in terms of the state of IT security. The WannaCry ransomware attack dominated headlines around the world becoming the largest and fastest growing malware in history. Additionally, data and infrastructure security professionals are being inundated with a constant stream of newly identified security flaws on hardware and software deployed on production networks.
It's safe to say that our battle against cyber-criminal activity is not going as well as many had hoped. It then begs the question, what approach, from a messaging standpoint, should a CIO take when discussing data security with other C-level execs and stakeholders? While some CIO's might choose to put on rose color glasses and pretend everything is just fine, others are beginning to take a more realistic approach.
The times are long passed where IT leaders can simply plead ignorance when it's discovered that their infrastructure has been breached. That's why I'm often shocked to still hear CIOs boast about how “tight” they believe their security to be. Clearly, this is the wrong approach to take -- even when uttered behind closed doors. Instead, enterprise networks should be looked at as living, breathing entities. They may be completely healthy one minute, yet succumb to a virus the next. Even when considerable time, money, and effort are spent to secure a network, there’s always going to be a weak point. Even with advanced artificial intelligence to aid in the fight, malware authors are managing to find plenty of ways to evade prevention mechanisms. The bottom line is, we should assume that if someone wants to break in -- they'll undoubtedly find a way.
But at the same time, a CIO can't simply throw their hands up and tell stakeholders that the sky is falling and all hope is lost. Instead, they must paint a picture that IT security is an area of IT that’s in continuous fluctuation. Furthermore, they need to convey that two key factors play a role in whether the organization is more or less at risk from an attack or breach. The first factor is the speed at which the organization can respond to a threat. This is a wide-reaching consideration that covers multiple areas of IT security, including tools automation, staff skillsets and escalation procedures. Speed is everything in a field where every millisecond counts.
The other factor that significantly impacts the risk an enterprise organization takes regarding data security lies in the contingency plans and procedures that are enacted once a breach occurs. Because we can't possibly plug all holes that are exposed to the bad guys, threats can be significantly minimized using contingency plans. For example, if an enterprise organization maintains isolated, offline backups, they are largely immune to malware exploits. Other contingency plans can address DDoS or virus outbreaks. These days, contingency plans are as important as the security tools put in place to prevent the security threat in the first place.
If you’re a CIO – and you want to “stay out of the headlines” – the way you message data security threats can work to your advantage, if it's done properly. Instead of putting on that fake smile when telling everyone how there’s nothing to fear, it may be beneficial to be far more honest with stakeholders. That way, their expectations are more in line with the actual truth and less in line with false expectations that nothing bad can ever happen. Let them know about your strengths, weaknesses and keys to success. By doing so, you might find that injecting a dose of reality can help build relationships that foster more interest and support in the protection of company data moving forward.