October 28, 2016 By Bob Kalka 2 min read

This is the third and final installment in a series covering cybersecurity for the CIO. Be sure to read Part 1 and Part 2 for the first five questions every CIO should ask the organization’s security leader.

Ultimately, cybersecurity must ensure that there are proper and effective controls in place to protect an organization’s sensitive business assets, especially the data that differentiates and sustains the business. Over the past two decades, however, the industry has been influenced by both a mistaken belief and an unfortunate reality.

The Final Question for the Cybersecurity Leader

The mistaken belief is that there is some kind of magic bullet to wipe out the constant barrage of threats against these assets. With today’s advanced persistent threats (APTs) providing a level of sophistication that can easily dance around individual cybersecurity capabilities, leaders now realize that only an equally sophisticated and integrated approach that spans multiple risk management controls can succeed.

The unfortunately reality is that to properly protect the organization’s assets, the cybersecurity leader needs to know where all those assets are. Alarmingly, many organizations don’t even know where their sensitive business data is, particularly the copies stored in unstructured form on local devices and machines.

6. What Risk Management Controls Are We Actively Addressing to Specifically Protect Sensitive Business Data?

Chief information officers (CIOs) and cybersecurity leaders commonly use 10 risk management technology controls to protect sensitive business data. These fall under four categories: data security, application security, identity and access management, and fraud prevention.

Data Security:

  1. Encryption to protect the data itself;
  2. Discovery and classification to identify and sort narrow sets of sensitive business information and monitor movement and access, both structured and unstructured;
  3. Data and file activity monitoring (DFAM) to protect and monitor access to the identified sensitive data; and
  4. Data loss prevention (DLP) to monitor and restrict the movement of sensitive data.

Application Security:

  1. Static source code analysis to ensure that the applications being written are not susceptible to known cybersecurity attacks; and
  2. Dynamic application analysis to ensure that compiled applications ready to be deployed, whether off the shelf or written internally, cannot be compromised by known vulnerabilities.

Identity and Access Management

  1. Identity governance to confirm that only the right people can access the sensitive assets being monitored;
  2. Access management to ensure that only the right people are actually accessing the sensitive assets being monitored; and
  3. Insider threat monitoring to confirm that privileged users are not compromising sensitive assets.

Fraud Prevention

  1. Mobile fraud prevention to identify any fraudulent transactions through mobile applications.

Putting It All Together

The best practice here is to identify the most sensitive business data based on the prioritized business risks, then leverage the 10 risk management controls noted above to discover, classify and protect that data. The CIO and cybersecurity leader must collaborate to ensure that this information is properly protected across their IT investments.

Cybersecurity is an incredibly important and complex imperative for the modern connected business. CIOs must be actively involved in addressing the most crucial yet underserved cybersecurity issues for the organization to meet its risk management and overall business objectives.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today