Maintaining information and cybersecurity is a hefty undertaking for any organization. But, it’s an even bigger challenge for smaller businesses.
What about building a strong, comprehensive organizational information/cybersecurity/risk management program? One that can keep information private, readily available to those who need it, and safe from ongoing threats that continually evolve, are growing in number, and can originate internally or externally from anywhere in the world?
That’s an even greater feat, one that comes with even broader responsibilities that directly impact the business.
Too many organizations hold a narrow view of information/cybersecurity. Perspectives range from just physical/facilities security (“guns and guards”), to purely technology (it’s technology so it’s IT’s problem). Security responsibilities aren’t just focused on managing firewalls, maintaining security on network servers, changing passwords, and cleaning up computer viruses. It’s much more comprehensive. And it isn’t about handing off the duties to an IT person as another responsibility. It’s much more holistic.
The reality is information/cybersecurity needs to be deeply rooted in the organization’s workforce mentality and business processes, meaning there’s no easy or “silver-bullet” technology solution that ensures that confidential information stays secure, trusted and available when needed.
Instead, success—whatever your size—requires a “champion” who understands how to balance the needs of the business and customer safety with regulatory requirements and acceptable practices based on a solid foundation of risk management.
From planning and implementing policy and process, to educating the workforce and keeping senior leadership apprised of risks that could impact the business and customer safety, to monitoring performance and compliance, the concept of information/cybersecurity goes well beyond technology and the IT department. Clearly it is an enterprise-wide risk management issue.
Managing the kind of program necessary to protect information—paper or digital—as well as places or assets where information resides, in addition to the people (e.g., employees, contractors, vendors, consultants, etc.) who access it, is a wide-ranging, business-driven, organizational-focused, full-time job regardless of the size of the organization. Most federal regulations require an individual to be named as in charge and actively managing your information/cybersecurity program; your clients and customers deserve nothing less.
Considering the critical importance of the job, the need for balanced enforcement, continuous monitoring and improvement, and the increased number of breaches and subsequent lawsuits that now include naming corporate officers and even boards of directors, the job is certainly a weighty one. Ideally, whoever holds the title of security officer should report to the senior-most person in the organization or even the board.
Smaller organizations with limited resources will find this kind of hiring decision difficult to make. But when weighed against the cost of breaches that put customer data and an organization’s reputation or even survival at risk, the decision is easily justified. Add to this fact that the threats are not subsiding, but rather growing both externally and internally, and the position is further justified.
Who Will Lead?
Putting regulations aside, the protection of customer confidentiality and ensuring the integrity of their personal information is not an option—it is a serious responsibility.
Who’s your “organization’s” information/cybersecurity leader? It’s not an optional decision or one to be taken lightly.