CIO Driven Innovation Starts with a Strong Security Posture
As the moderator of a roundtable discussion with some of the brightest CIOs in the tech world, I like to dive deep and get to the root of the various technology and management issues they are confronting. We have had amazing discussions, with participants sharing their personal insights so that we all end up better prepared for the real and emerging challenges we will face when we return to our offices. Currently, these three interrelated issues are trending among CIO thought leaders – driving revenue, “plumbing support,” and security.
Adding Value across the Enterprise
In the past, the IT department was considered a spending black hole – a place that burned cash without adding much to the company’s bottom line. That thinking has changed. A CIO in today’s world is driving the company’s innovation and, consequently, driving its revenue.
With regard to plumbing support, keeping the lights on has always been part of a CIO's responsibilities, but it doesn't stop there. Now the CIO is involved in adding value to the organization. Specifically, the CIO is now in charge of developing software that automates redundant processes, analyzing data trends to help make business decisions, and partnering with other departments to implement new technologies that lead directly to competitive advantage and greater sales.
Against this backdrop, an organization's security posture has never been more important, yet many CIOs find it difficult to convey this in ways that are easy for the board and other executives to assimilate. Success in this endeavor is critical – how you make the business case often determines how much of the budget can be earmarked for security and whether funds will be directed in ways that demonstrably improve the company's security posture.
The tool’s output starts with baseline measurements and over time tracks security improvements against an ever-changing threat landscape
Managing Security with Visualization Tools
CIO driven innovation can accelerate when security is well managed. A visualization tool can simplify the CIO’s job by highlighting security gaps and providing a clear view to prioritize actions, plans, and investments. An effective tool will provide a framework that distills large sets of data and empowers the CIO to easily understand and convey the security posture to the rest of the enterprise.
A good tool will also perform a baseline analysis of all security metrics relevant to the organization and assign a rating to each one. In very simple language, this format allows everyone to instantly grasp the current situation as well as the roadmap to achieve improvement so appropriate funds can be agreed upon and targeted more effectively.
Security metrics should be categorized from most critical to least critical. The essentials, like firewall outbound port blocking and weekly PC patching would fall into the most critical category, while change management processes and workstation backups would fall into a less critical category.
Each metric is then assigned a rating of 1 to 10 to describe how the current state impacts the overall security of the business. A rating of 1, for example, would reveal that a significant gap exists between the current and desired state, while a rating of 6-8 would represent a target state that most businesses should aim for. If a business is subject to enhanced government security mandates or a compliance requirement outside of the norm, then the target would be a rating of 10 which indicates a zero gap.
Creating a Roadmap
An effective visualization tool will provide direction on next steps. This roadmap is not intended to identify and implement improvement tasks in sequential fashion. Most often first efforts to mitigate gaps will have a bleed effect – they will not only raise baseline risk scores, but also the scores of unrelated risk metrics in other categories. So typically several tasks may have to be undertaken in parallel to achieve the best results.
For example, overhauling the firewall configuration, implementing firewall unified threat management (UTM), addressing password issues, and executing a data governance program – collectively spanning multiple risk categories – might have to be pursued along with advanced persistent threat (APT) protection, data-at-rest scanning, and external web system security measures, which also span multiple risk categories.
In essence, a visualization tool provides the CIO with the equivalent of the CFO’s “balance sheet.” The tool’s output starts with baseline measurements and over time tracks security improvements against an ever-changing threat landscape. This gets all internal and external constituents working from the same playbook and trusting each other so that real progress can be made with a minimal level of fear, uncertainty, and distraction.
Bottom Line Results
With the IT security story clearly conveyed within the context of the business strategy, the CIO helps the Board steer a path toward the right security solutions and investments. This process builds a strong foundation that not only protects the business but lays the groundwork for future innovation. Shedding its reputation as a spending black hole, the IT department takes its rightful place as an indispensable partner in growing the business.