Information security is a broad challenge facing most businesses today and while given significant attention in recent years, it has intensified in the last 18 months. Threats span multiple industries and attacks have been more widely publicized. Senior management and corporate boards are now asking for routine updates and want to know about countermeasures being planned and implemented by organizations.
One of the most important first steps to address information security is to assess the risk to your business. Companies have varying degrees of risks and knowing what you need to protect is critical. Understanding your risks is a partnership between the CIO and/or CISO and business leaders. With your risk profiles defined, being cost effective comes down to prioritization and focus. I’ve found that this can be done successfully in three steps.
Pinpoint top vulnerabilities: Understanding the organization’s strategic objectives and its full risk profile gives the CIO and/or CISO perspective about what information is most critical to protect and where the vulnerabilities in the company’s information infrastructure are. With this laser view you can minimize your spending by selecting products and services that will net you the highest value-add.
Identify mitigation solutions: A combination of products, services and partners can be used to minimize vulnerabilities. It’s the responsibility of the CIO and/or CISO to determine the solutions that will strengthen its security relative to the business-led prioritized vulnerabilities. As the number of information security companies has grown exponentially, it can be daunting to select available services. The way we have approached our selections is to leverage multiple contacts (peer networks to government agencies) to benefit from their knowledge and experience. A company can save a lot of time and money by asking people they can trust the most –their external peers. CIOs have an unstated bond – we are always willing to give each other advice leveraging our own successes and failures.
Lock down risks: After a solution is selected, implementing it is just as important. Monitoring is critical too since information security is a 24x7 job. For companies that cannot afford to add significant security resources, partnerships with information security companies are essential. While, AES leverages such partnerships, we also have built strong relationships with governments and law enforcement agencies who have helped guide us as well.
At AES foundation, IT experts are engaged from the network layer to the systems analysts and engineers who support our plant control systems. These experts communicate in a sophisticated technical language that isn’t always understood by non-technical people. While many of their efforts are critical, they alone cannot protect our ecosystem.
In closing, protecting information comes down to the decisions made and actions taken by people in your organization each and every day. The more people educated - from your board to the front office – the better protected your information can be. Securing information is a 24x7 activity and monitoring is one of the best defenses as well as continuous education.