What should a CIO expect for a security breach?

BANGALORE, INDIA: At the onset this is a tricky one to answer. Maybe a bit of comparison with the other C’s like CEO, COO and CFO can highlight a perspective. Who is held responsible, if the business does not yield the desired Profits? Of course the CEO! Similarly the blame for underutilization of manufacturing capacity is attributed to the COO. The CFO does not have the remotest chance, if the Financial Statements are found to be misrepresented. Hence why should the CIO expect a differential treatment for a Security Breach of the company’s information?

The answer should obviously be on the negative and recent cases have upheld this verdict, costing the CIO his job. But can this be made a ‘Rule’, without understanding the ground realities actually practiced in most organizations?

Some questions for most CEO’s, COO’s and CFO’s who are still above, in the organizational hierarchy as compared to the CIO: 

*  Is your CIO empowered with the requisite authority and resources to implement all that is required to ensure that necessary security is in place?

* Are the processes and practices stated in the Information security policy actually practiced by every function? If not, is there any penalties imposed on such erring personnel.

* Being part of the top management, do you preach and practice the policies ourselves?

* Is implementing best HR practices a priority in your organization?

An immediate answer may be on the affirmative, but actually in most cases this is ‘no’. This is because the primary expectation from the CIO has always been to ensure system continuity and disaster recovery. Information security has always been taken for granted. Only when a disaster strikes, we try to find the scapegoat, and the obvious target is the CIO/CSO.

Actually in most cases the security breach happens due to the fault of a non-IT person. Nevertheless, it is a fact that all companies are vulnerable to threats and policy breaches and therefore it is almost mandatory to come out of the blame game and realize that we have to have a risk management plan in place. Managing security and risk requires detailed procedures, latest technologies, experienced technical staff and requisite budgets. Hence these should be in place and well allocated before we move forward.

The approach should be of forming a core team from every function, who are experienced in the business and are able to identify the potential threats. Here technology would play a major role to thwart threats and other vulnerabilities, but that alone is not enough. There needs to be laid down procedures that are additionally followed by every executive in the organization, especially those in sensitive functional areas.  Once formulated and documented the Security Policy would be available, for all to follow.

The next step is to have the policy put into practice, which by all means is a herculean task. It can be initiated by orienting every function about the threats and its implication on the business. The fact that every function and its individuals, are jointly responsible in ensuring that there are no security lapses, should be clearly stated.

The implementation of having the risk management plan and security policy is quite a challenge as it involves a complete cultural change in the way of working, within the organization. I see HR to play a major role in steering this forward. The implementation can be attributed to be a success, only when every person is not demanded to follow the procedures but they feel responsible from within and are willing to follow it on their own. This is where a strong HR focused company stands to an advantage.

Most of us may feel that this is an idealistic target and a high peak to climb, but all successes start by taking the first step. A start would soon ensure that the management mindset is changed from searching a scapegoat to creating a sturdy defense within the organization, the benefits of which can be reaped by all.