By Scott S. Smith
Security Practice Lead
The recent data breach at Equifax is just one of the latest in a long string of high-profile cybersecurity failures. In this particular case, the Social Security numbers and other sensitive information of up to 143 million Americans were exposed. In another case, the NotPetya attack very quickly spread to, then severely hobbled operations in, corporations around the world, including the giant shipping company Maersk.
These and other recent cybersecurity failures in the news have resulted in intellectual property loss, disclosure of embarrassing communications, loss of business, massive public relations nightmares, and more. And that’s just for the high-profile cases!
The reality is, cybersecurity breaches happen every day, and they hit organizations of all sizes. If you are not actively addressing your cybersecurity risks, it is most likely just a matter of when—not if—your organization will suffer the consequences.
Your business-driven needs for cybersecurity
That said, there is no one-size-fits-all cybersecurity plan that will address all of your organization’s unique risks. Before you start working on getting a cybersecurity plan in place (which will be the topic of my next article), it’s a good idea to first assess your strategic security needs from a business perspective. What types of security breaches, or lapses, would have the greatest impact on your business?
Some of the most common reasons why businesses need cybersecurity include:
- Protect Personally Identifiable Information (PII) – Your databases may include PII for your employees, your customers, and/or your customers’ customers. You need to identify exactly what PII is in your system, and then track it all the way up and down the chain to also identify who else touches this data.
For example, say you’re a medical supplier and your database includes PII of patients who are participating in a clinical trial. Because you get this information from medical clinics, your risk exposure is in two places: While the data is being transferred to you, and while the data is in your systems (including backups, failover locations, and anywhere else it may reside). The critical nature of protecting personal medical data is the reason HIPAA has been put in place.
Another common example is your Human Resources database, which contains sensitive PII for each of your employees, past employees and job applicants. If you share this database with a third-party payroll vendor, your risks extend to breaches at their facilities and systems, too. Even a database as simple as one that just has customer names and addresses contains sensitive PII.
- Comply with Government Regulations – Many businesses are affected by government regulations, such as HIPAA, PCI or Sarbanes Oxley, that require the implementation of specific security measures. In this case, staying in compliance with these regulations is one of your business-driven needs for security.
However, although regulatory requirements for cybersecurity are often onerous, they are never exhaustive. Although complying with applicable regulations must be part of your cybersecurity plan, you cannot rely on regulations to drive your security.
- Protect Your Organization’s Intellectual Property – You need to identify all of your organization’s intellectual property (IP), and then determine which of this IP truly requires protection. What would be the impact on your business if this IP was stolen?
- Avoid Negative Publicity – As I mentioned earlier, cybersecurity breaches can cause massive public relations nightmares. How risk-averse do you need to be based on the potential impact of negative publicity? If a “CNN moment” could sink your business and wreck your brand, this is an important business-driven need for cybersecurity.
- Keep Your Operations Running – Some cybersecurity breaches, such as viruses and ransomware attacks, can cause your entire business to grind to a halt. From the business needs standpoint, you need to assess what types of cybersecurity failures could cause your business to go down.
Conclusion
Your organization may have any number of business-driven needs for cybersecurity, including those that are on the above list. If you have not identified these drivers, you are likely overlooking a risk that could cause severe damage, or worse, to your business. If you need help assessing your unique cybersecurity risks, give us a call. Cybersecurity is one of our areas of expertise.
About Scott S. Smith
Scott is an experienced cyber security executive with more than 25 years of technology strategy, management and advisory experience. With an emphasis on driving technology success through effective business stakeholder engagement, he has strong project leadership experience on IT security strategy, governance and transformation projects.
About CIO Professional Services
Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.