Security breaches happen, but some cause more harm than others. How can professionals charged with IT protection and compliance activities ensure that their security efforts maximize protection? Where and why is security important?
More from our cybersecurity tweet jam
Avoid issues with cybersecurity training
Risk assessment and management
The traditional approach to cybersecurity typically focuses most resources on critical system components and on combatting the largest known threats. This method of defense leaves less-visible system components open to threats and other less-obvious risks unattended.
In SearchCIO's recent cybersecurity-themed tweet jam, participants discussed just that. How do you determine what needs protecting? Specifically, we asked the following:
Q4 Breaches happen. Some say to focus on what will do the most harm & protect that. Agree? How do you decide what needs protecting? #CIOChat— SearchCIO.com (@searchCIO) October 30, 2013
Our tweet jam expert, Elliott Franklin, information security manager at San Antonio, Texas-based Whataburger Restaurants LLC, said that IT professionals should first focus on business-critical activities:
Speaking of the business, our tweet jam participants emphasized the importance of getting everyone on the same page when it comes to appropriate cybersecurity and understanding the foundations of security:
CIOs and CISOs must have a common message that breaches will happen but with partnership IT can help minimize the damage. #CIOChat— Elliott Franklin (@elliottfranklin) October 30, 2013
A4 A critical aspect to any security program is the foundation of value & risk created by info owners/creators, IT is next #CIOChat— Mark Thiele (@mthiele10) October 30, 2013
To combat security breaches, CIOs, chief information security officers and compliance officers must understand why security is important and what data they need to protect. From there, employee training must be a top priority, according to tweet jammers:
A4 data that is obsolete should be discarded: If it no longer exists, it is no longer a threat that needs to be protected #CIOChat— SearchCompliance.com (@ITCompliance) October 30, 2013
A4: The value of corp data changes every day. Important to have a strong process for info lifecycle to match security awareness #CIOChat— Mark Thiele (@mthiele10) October 30, 2013
A4 #CIOChat there's a risk of awareness training fatigue, have 2 prioritize such efforts based on intel that is tailored to ur org (Ideally)— Gal Shpantzer (@Shpantzer) October 30, 2013
Expanding upon SearchCompliance's tweet, giving employees access to corporate information via mobile devices, take-home laptops or tablets opens a vector for security breaches. But is end-user training enough to combat this increased risk? Tweet jammers discussed how to maneuver the physical aspect of security breaches:
A4: Also, encryption tech is vital. Way too many breaches due to unencrypted devices. Poster child = healthcare. Must. Encrypt. #CIOChat— Jenny Laurello (@jennylaurello) October 30, 2013
Creating a firewall and protecting data digitally is important, but #CIOChat participants were just as concerned about in-the-flesh threats:
A4 We are talking more about social eng & assoctd training, which is good. But physical security is still critical. #CIOChat— Mark Thiele (@mthiele10) October 30, 2013
@mthiele10 those guards then talk on their phone or sms their friends. Seen it at high end malls w jewelry stores... Sheesh!— Gal Shpantzer (@Shpantzer) October 30, 2013
Where are you security efforts focused? How do you decide what needs protecting, and to what extend do compliance regulations play a role? Tell us why you think security is important in the comments section below, then read the full #CIOChat conversation on Twitter.