In my opinion the top 3 challenges for the CBIO as it relates to Information Security over the next few years will be protecting the CEO by:
- Evaluating the real business impact of cloud and mobility technologies as it relates to IT Security, governance, and privacy.
- Assessing your data exposure for IT Security planning purposes.
- Learning how to communicate to the CEO who either doesn’t care, or doesn’t understand, or a combination of both. You have his/her back but does he/she know it?
- 3rd Party Risk – (those entities you do business with)
We have to start with the premise that there is no private communication in the truest sense of the word. Our business communications are ‘un private’. We have seen this recently with the NSA. If there is a need to get the information either the NSA or the court system will get it.
What are the problems the CEO faces?
The sending and receiving of email, text, file storage and file movement indiscriminately between Cloud service providers, internal systems, laptops, phones, etc. is the problem. Where does the data governance start? It starts at the core, but when the core data is now strewn around the enterprise what do you do next?
The CEO and top brass including The Board need to protect themselves. The context of a message (email, text, etc) is what is usually misconstrued by the court systems. What if you could send a text message that disappears from the phone within 30 seconds. It doesn’t exist on servers or on the phone and is totally nuked.
The courts can of course subpoena information from IT and it is IT’s responsibility to produce the information. What if the text messages can’t be reproduced? What if these messages have disappeared? A conversation in a coffee shop can’t be reproduced digitally. What if your text messages followed the same path?
We are going to see the shift in security into this realm of communication. Sure there will be issues with HIPPA and other Privacy concerns, but what about the wide variety of communication at the senior team level about a general business problem, or an issue with an employee, or a customer?
Are you going to want this communication going across your cloud provider infrastructure or being texted in the clear?
One of the biggest issues for business is the pressure that mobile devices and cloud technologies are placing on business to push data into the cloud and into mobile devices that are both owned and not owned by the business. Now IT departments have to manage cloud provider security promises versus building their own teams of security professionals. Additionally, due to the multifarious methods of delivering data to laptops, home users, phone and tablet users, there is zero assurance that your data is secure.
4 Ways the CBIO can reduce and protect the CEO’s digital footprint:
- Varonis Datanywhere – Businesses class file sharing to match your internal data security governance policies. Turn your files into an instant private cloud.
- Secure text messaging using Cyberdust. 30 seconds and the text disappears forever. I learned about this product while listening to this podcast with Marc Cuban and James Altucher. If you want to listen or download the notes. Here it is
- CEO Risk Communication – Using a CBIO Scorecard you can visually represent Security risk and exposure as a portfolio based approach to IT Security investing.
- 3rd Party Risk or Cloud Risk profile. You can assume that if you have a third party that has an SAE or PCI certification is doing the most they can do, but this is only a handful of providers. What are your other third party vendors doing as it relates to security, policies, compliance, etc?