October 28, 2016 By Bob Kalka 2 min read

This is the third and final installment in a series covering cybersecurity for the CIO. Be sure to read Part 1 and Part 2 for the first five questions every CIO should ask the organization’s security leader.

Ultimately, cybersecurity must ensure that there are proper and effective controls in place to protect an organization’s sensitive business assets, especially the data that differentiates and sustains the business. Over the past two decades, however, the industry has been influenced by both a mistaken belief and an unfortunate reality.

The Final Question for the Cybersecurity Leader

The mistaken belief is that there is some kind of magic bullet to wipe out the constant barrage of threats against these assets. With today’s advanced persistent threats (APTs) providing a level of sophistication that can easily dance around individual cybersecurity capabilities, leaders now realize that only an equally sophisticated and integrated approach that spans multiple risk management controls can succeed.

The unfortunately reality is that to properly protect the organization’s assets, the cybersecurity leader needs to know where all those assets are. Alarmingly, many organizations don’t even know where their sensitive business data is, particularly the copies stored in unstructured form on local devices and machines.

6. What Risk Management Controls Are We Actively Addressing to Specifically Protect Sensitive Business Data?

Chief information officers (CIOs) and cybersecurity leaders commonly use 10 risk management technology controls to protect sensitive business data. These fall under four categories: data security, application security, identity and access management, and fraud prevention.

Data Security:

  1. Encryption to protect the data itself;
  2. Discovery and classification to identify and sort narrow sets of sensitive business information and monitor movement and access, both structured and unstructured;
  3. Data and file activity monitoring (DFAM) to protect and monitor access to the identified sensitive data; and
  4. Data loss prevention (DLP) to monitor and restrict the movement of sensitive data.

Application Security:

  1. Static source code analysis to ensure that the applications being written are not susceptible to known cybersecurity attacks; and
  2. Dynamic application analysis to ensure that compiled applications ready to be deployed, whether off the shelf or written internally, cannot be compromised by known vulnerabilities.

Identity and Access Management

  1. Identity governance to confirm that only the right people can access the sensitive assets being monitored;
  2. Access management to ensure that only the right people are actually accessing the sensitive assets being monitored; and
  3. Insider threat monitoring to confirm that privileged users are not compromising sensitive assets.

Fraud Prevention

  1. Mobile fraud prevention to identify any fraudulent transactions through mobile applications.

Putting It All Together

The best practice here is to identify the most sensitive business data based on the prioritized business risks, then leverage the 10 risk management controls noted above to discover, classify and protect that data. The CIO and cybersecurity leader must collaborate to ensure that this information is properly protected across their IT investments.

Cybersecurity is an incredibly important and complex imperative for the modern connected business. CIOs must be actively involved in addressing the most crucial yet underserved cybersecurity issues for the organization to meet its risk management and overall business objectives.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today