CISO should be the dyke warden of IT security

Ian Yoxall, Principal Consultant, Intragen

When it comes to IT security, many people have an SEP (Somebody Else’s Problem) mentality. Responsibility for security cannot be outsourced. It is a problem that belongs to everyone.

The Netherlands is known for its endless battle against the water since the Middle Ages. The dykes have constant monitoring and pumps to make sure they function properly. It is not without reason. Everyone understands that dykes are important because water does not care whether you are a doctor or a homeless person. The dyke warden or dijkgraaf was and is a respected figure. The night he knocked on your door and told you to work on the dyke you did so without complaint or hesitation. Furthermore, the monitoring of the dykes is well organized. If you are only going to act when the waters overflow, then you are too late. 

IT security today may not be given the same status as dyke monitoring, but it should be. We regularly hear news of data breaches in the press and how disastrous the consequences can be. Furthermore, the need for security in the digital world is becoming more important as ever increasing volumes of information become available online. The bad guys out there are getting more skilled at finding ways to steal and exploit this information. The question for a CISO perhaps should be: How do I make IT security a company-wide service which is taken as seriously as dyke monitoring in the Netherlands?! Here are three practical steps to raise the profile and effectiveness of IT security in the modern enterprise:

  1. Make the CISO a dijkgraaf. Since I first wrote this blog in Dutch, GDPR has come along and has effectively done just that. Whilst it’s true that the CISO is responsible for IT security, he/she often lacks the authority to implement policies. I wrote that the CISO should be a board level position but in practice, this was rarely the case. GDPR changes this. The ‘business first’ argument can no longer ignore security, so policies that control and govern access to data now have teeth. Giving the CISO the same mandate as a dijkgraaf from 1600 means that policies will be implemented with the follow-on benefits to business being realised.
  2. Stop outsourcing problems. Many organizations think that security is not a core business activity. They see it as a responsibility that they would rather not have and that adds little business value. The desire to outsource the issue to third parties who can take that responsibility away is tempting. This is a big NO. People outside your organization are not best placed to know what is happening inside and what really are the major security risks for your business. Technology is only part of the challenge for security. More often security is a problem rooted in people and process. Outsourced companies do not have the in-depth knowledge of your business environment. Dedicate at least one internal employee who can focus on your business requirements as well as understanding the security domain. Also, continue to favour internal or appliance-based solutions instead of cloud when it comes to security. Cloud-based solutions have not yet reached levels of maturity to provide the full range of security services needed in complex business environments. For today, the responsibility for IT security should reside within your organization, not outside. Who do you want to sit at the controls?
  3. Ensure proper security analytics. In the Netherlands dyke monitoring has always been extremely important. The same monitoring requirements now also apply to support security objectives for businesses today. There may be many incidents where someone notices unexpected traffic or captures suspicious user, application or network activity. This highlights the need for effective security monitoring. Making security analytics a top priority helps organizations understand the risks and define limits on what should be regarded as suspicious activity. Technology allows you to track many aspects of a user, but without defining profiles and limits, you can’t set alerts. Then you can stop putting your finger in the dyke whenever there is a hack. Oh, and just to make sure you know, you are being hacked. You just don’t know it.