Christopher Buse has a daunting job. As Assistant Commissioner and CISO for Minnesota IT Services, he’s the guy that the state relies on to keep government networks and data safe 24 hours a day. Ask him what concerns him the most and you might be surprised at his answer. It’s the end users and the computers they use to do their work every day. That’s what he told an audience of financial leaders at the MNCPA Management and Business Advisors Conference in Minneapolis this month.
What was a CISO (Chief Information Security Officer) doing at a conference for CPAs? He was educating these financial professionals about the cybercrime threat landscape and the building blocks that make up an effective approach to cyber risk management. Hopefully, the CPAs took home these questions from Buse’s presentation.
1. Are we doing what we should be doing to keep our organization safe?
Many companies erroneously think that everything that needs to be done for cybersecurity is being done by their IT provider or their internal staff. Then one day they experience a breach and discover that not only was their assumption wrong, but they get to pay the IT company extra to get back up and running. As an executive, you shouldn’t need to tell your IT provider what needs to be done, but you also shouldn't hesitate to ask questions when you have concerns.
2. What if we have a breach? Do we know what to do? Have we tested our procedures?
Some security experts say that it’s not a matter of “if” an organization will be hacked but “when.” Pull out your backup and disaster recovery procedures to see if you can live with the amount of data that is being stored. Employees should be trained in how to access and use it to get operations up and running again. Make time for practice and testing to save time in the event of a breach.
3. Where does our business data live outside of our organization? Is it safe there? How can we know this for sure?
If yours is like most companies, you probably have important and confidential information in places outside your perimeter. This could be bank information, designs and trade secrets, and employee information that your vendors have on file or that you have integrated with cloud services. Depending upon your situation, you may need to ask yourself if a security audit is in order. Organizations that must comply with government regulations should already be doing this.
4. Who is responsible for cybersecurity?
Buse was clear that upper management owns cyber risk and that the responsibility for protecting company networks and data belongs to all staff. Teaching employees how to recognize and respond to threats isn’t something that is satisfied with an annual webinar. Because cyber threats change and evolve, cybersecurity awareness training for everyone, including executives, should be ongoing to keep security practices up-to-date and top of mind.
5. Can we afford not to invest in cybersecurity?
The impact of cybercrime is devastating. Downtime, loss of reputation, legal fees and litigation, and unexpected costs will create hurdles that most companies can’t overcome. Cybersecurity is essential for organizations that want to survive.
Cybersecurity as Strategy
Many companies don’t know how to include cybersecurity in their IT and business strategy and that’s where Thriveon comes in. Our 7 Part IT Strategy includes security as one of the facets of a comprehensive IT plan. Our security practices have 3rd party verification with the CompTIA’s Security Trustmark Plus credential, based on the National Institute of Standards and Technology (NIST) Cybersecurity framework.