If we have learned anything over the last few years about data breaches, it is that they are likely to happen. However, data breach frequency can be reduced and its impact minimized with some key strategies.
Both response and prevention efforts are greatly impacted by organizational culture. Organizational culture is formed over years as certain values and behaviors are reinforced or discouraged through a series of successes and failures. Security is seen as important and vital to organizational success in positive security cultures while it is ignored or even discouraged in negative security cultures.
You can reinforce an existing security culture or bolster a lagging one with some of the same strategies. The first strategy is to make the topic of security a common one. Discuss risks in meetings and common decision-making situations. Ensure that managers and knowledge workers are on the same page with risk, knowing how much risk is acceptable and how their decisions affect risk. Employees also need to understand what it is they are trying to protect, such as customer information, trade secrets, or strategic business information.
Security awareness training can provide the skills and knowledge necessary to prevent data breaches and respond to those that happen. It is also a crucial component of a security culture. Security awareness training should be consistent and enacted for employees at all levels of the organization so that they can accurately recognize threats and understand their role in the response effort. Since a large percentage of attacks target the human element in organizations, this training can equip employees with the skills to avoid such attacks. Awareness training prepares employees for their role in incident response by teaching them about incident indicators and how to properly report an incident.
Incident response planning is also necessary to ensure that the response is performed correctly and in a timely manner. An effective response can greatly minimize damages to both the organization and its customers. Incident response plans should be regularly reviewed and updated, and those involved should participate in drills and exercises so that the response activities come naturally to them.
Leading all these efforts is a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). This individual should have the authority to interface at the highest levels of the organization to ensure that preparation and protections are placed appropriately throughout the organization. Responsibility for security lies not only in IT but in the entire organization, from senior management to the factory floor; remote office workers to branch office managers; and from interns to HR. They will also need a budget to perform these activities.
Choose your CSO or CISO wisely because they will be a driving force behind security initiatives. They will need to be an effective communicator and leader with good vision and planning skills. In a recent Modern Workplace webinar on cyber intelligence and data breaches, Vanessa Pegueros, DocuSign CISO, said that the CISO should have breach experience. Breach situations are often high-stress, but the lessons learned are invaluable for a security leader.
Put the right strategies in place to bring about cultural change, increase awareness, refine and communicate incident response plans. Then, equip a CSO or CISO with the authority, responsibility, and budget to make it all happen.
Special thanks to Microsoft Office, the sponsor of this article. As always, all thoughts and opinions are my own.