Questions Every CIO Should Ask the Cybersecurity Leader: Part 3

This is the third and final installment in a series covering cybersecurity for the CIO. Be sure to read Part 1 and Part 2 for the first five questions every CIO should ask the organization’s security leader.

Ultimately, cybersecurity must ensure that there are proper and effective controls in place to protect an organization’s sensitive business assets, especially the data that differentiates and sustains the business. Over the past two decades, however, the industry has been influenced by both a mistaken belief and an unfortunate reality.

The Final Question for the Cybersecurity Leader

The mistaken belief is that there is some kind of magic bullet to wipe out the constant barrage of threats against these assets. With today’s advanced persistent threats (APTs) providing a level of sophistication that can easily dance around individual cybersecurity capabilities, leaders now realize that only an equally sophisticated and integrated approach that spans multiple risk management controls can succeed.

The unfortunately reality is that to properly protect the organization’s assets, the cybersecurity leader needs to know where all those assets are. Alarmingly, many organizations don’t even know where their sensitive business data is, particularly the copies stored in unstructured form on local devices and machines.

6. What Risk Management Controls Are We Actively Addressing to Specifically Protect Sensitive Business Data?

Chief information officers (CIOs) and cybersecurity leaders commonly use 10 risk management technology controls to protect sensitive business data. These fall under four categories: data security, application security, identity and access management, and fraud prevention.

Data Security:

  1. Encryption to protect the data itself;
  2. Discovery and classification to identify and sort narrow sets of sensitive business information and monitor movement and access, both structured and unstructured;
  3. Data and file activity monitoring (DFAM) to protect and monitor access to the identified sensitive data; and
  4. Data loss prevention (DLP) to monitor and restrict the movement of sensitive data.

Application Security:

  1. Static source code analysis to ensure that the applications being written are not susceptible to known cybersecurity attacks; and
  2. Dynamic application analysis to ensure that compiled applications ready to be deployed, whether off the shelf or written internally, cannot be compromised by known vulnerabilities.

Identity and Access Management

  1. Identity governance to confirm that only the right people can access the sensitive assets being monitored;
  2. Access management to ensure that only the right people are actually accessing the sensitive assets being monitored; and
  3. Insider threat monitoring to confirm that privileged users are not compromising sensitive assets.

Fraud Prevention

  1. Mobile fraud prevention to identify any fraudulent transactions through mobile applications.

Putting It All Together

The best practice here is to identify the most sensitive business data based on the prioritized business risks, then leverage the 10 risk management controls noted above to discover, classify and protect that data. The CIO and cybersecurity leader must collaborate to ensure that this information is properly protected across their IT investments.

Cybersecurity is an incredibly important and complex imperative for the modern connected business. CIOs must be actively involved in addressing the most crucial yet underserved cybersecurity issues for the organization to meet its risk management and overall business objectives.

Share this Article:
Bob Kalka

Vice President, IBM Security Business Unit

Bob Kalka, CRISC, is a Vice President in the IBM Security Business Unit. He has been involved in the information security industry for 20 of his 25 years with IBM. He has held a number of leadership positions in product management, sales, business development, marketing management and product development. He is a frequent international speaker on the relationship of business with Information Technology, cloud computing and security, and has had numerous papers and articles published on these topics. He also holds a United States Patent related to secure distributed computing software.