Julie Cullivan, SVP Business Operations & CIO, FireEye
Risk. It’s a four-letter word in more ways than one. Fear of risk makes us wait, put things on hold, and potentially cost us something: an opportunity, a competitive edge or an account.
Sometimes it’s not only worth it to take a risk, it’s necessary. Businesses may need to change the way they do business, and that change may require a certain amount of risk.
What many companies don’t believe is that it’s possible to do both—be productive and maintain security.
Enterprise Risk Management
The cyber security world is fraught with risk. And while we like to feel secure the fact is, breaches are inevitable. There is no question a security breach can happen to even the most prepared organization, thanks to savvy, sophisticated threat actors. We develop a new way to protect ourselves and before it’s even in place, some hacker is ahead of the curve with a way to sneak past it. So if you can’t guarantee a breach won’t happen, the best you can hope for is to lessen your exposure to risk. Enterprise risk management is the best way to approach that.
There are three fairly straightforward steps to managing risk:
1. Measure. Your first task is to accurately measure your level of vulnerability. Just how much risk are you willing to accept? Zero risk is probably not an option for most of us. Just having a computer or a mobile device means there’s a potential for a breach. So first determine how risky it is, and then decide whether a new way of doing business is worth that risk. Say you’re considering whether to allow your employees to use a cloud application to store and share files. Is the need for them to share instantly more important than the risk of opening your network up to possible malware-infected documents?
2. Discuss. It’s important to have buy-in from people across the company. A working team composed of cross-functional representation can do a lot of the legwork on the front end to assess the risk and how it will impact the company’s productivity. A decision to roll out a new HR system may impact finance, or may mean sales people on the road now need mobile access. This team can address the concerns and calculate the risk involved in implementing the new capabilities. Regular meetings are key here, because businesses, and their needs, change–but so does the threat landscape. Input from various stakeholders ensures you’ve thought of everything before taking an idea to the top-level decision makers.
3. Negotiate. Consider creating an executive security steering committee. During regular meetings, this team should be updated on where the company currently is security-wise, and discuss security concerns that need to be addressed at the executive level. Sometimes you’re faced with a higher level of risk than you’re used to, and you may get push back from folks who are unwilling to take that leap of faith. If your working team has already discussed the pros and cons and concluded that it’s worth the risk, your executive team has the input they need from across the company to make an informed decision. This team should meet quarterly but may be needed in the meantime if a security need arises. Above all, it is key that this team understand that security is not simply an IT concern–it is an enterprise concern with company-wide implications.
“The right combination of technology, intelligence and expertise can go a long way to protect your company’s network while keeping your company’s doors open for business”
Lock the Doors
While it may sound dramatic, an organization needs to secure the perimeter before anything else. How secure are your firewalls? When is the last time you updated your anti-virus protection? Regardless of your answer, you probably aren’t doing enough to keep your company secure. Cyber attacks easily bypass traditional signature-based tools, which means you need a security platform that not only works to prevent a breach, but also detects possible attacks and helps you analyze and and if necessary, responds.
The Cloud and mobile devices are hot targets for hackers looking for a way in. The last thing you need is for an employee to potentially bring something into your environment by plugging in their mobile device into your secure network. The bad guys may already be targeting you from outside–don’t make their job easier by having one of your own inadvertently being the malware messenger. Does that mean you shouldn’t adopt a BYOD mentality? Not necessarily. Mobile access is key to many business needs and can help your employees stay productive. It simply means you need to make sure you’re as protected as possible.
And if your system gets compromised, you’ll need tools to respond and contain the breach and mitigate loss. These types of tools take time to implement, and your working committee and executive steering committee should discuss these as soon as possible to they’re prepared for the worst. The right combination of technology, intelligence and expertise can go a long way to managing a compromised network and keeping your company’s doors open.
Business needs change over time. When you’ve got to decide whether how to meet your changing needs, the decision ultimately comes down to a tradeoff between productivity and security. Things to keep in mind at this stage are the potential business impact, the impact on productivity, whether it will help drive the business or deliver service to a customer. These factors must be taken into account when determining whether to undertake a move that may carry additional risk.
Other concerns: How important is this change to the company? Is it impeding the business’ operations to keep the status quo? Will this change open your company up to potential data leakage or privacy concerns?
The bottom line is: you can have a balance between productivity and security. Keeping your company (and your customers) secure cannot mean total lockdown, because no one can do their work. Find a level of risk you’re comfortable with, take the necessary steps to protect yourself as best you can, and have a plan in place to contain a breach in the event it happens. And know that you’ve done everything you can to eliminate one four-letter word from your vocabulary, or at least, to tame it.