Ten Security Questions Every CIO Must Be Able to Answer

The most important thing CIOs in any industry need to know about IT security, according to Logicalis US, an international IT solutions and managed services provider, is that, despite the hype, the fear, and the complexity of available solutions, securing digital assets is fundamentally about managing risk.

"It's important for IT professionals to take their IT security risks seriously," says Ron Temske, vice president of security solutions for Logicalis US. "The first thing that has to be established is what you are trying to protect, and whether or not all of your digital assets need the same level of protection. Most organizations don't think that way; they see security as a single, across-the-board, ubiquitous solution. People often think if they have a firewall and antivirus in place, they're secure. Others believe no one is targeting them. In both cases, nothing could be farther from the truth. If all you have is traditional antivirus and a firewall, you might as well give your information awa—and you might be doing just that. Once a threat moves beyond the firewall, you lose visibility and control of that threat, and that can happen as innocently as having an employee who unwittingly plugs a USB infected with malicious code into their desktop or laptop. The biggest unpatched security vulnerability you have is your people. And even if your organization isn't high profile, your unsecured IT can become a back door for cybercriminals trying to break into your partners' or clients' systems. The solution is to develop and implement a comprehensive security program that spans the entire attack continuum—before, during, and after an attack."

This is why, Logicalis experts say, it is critical to know what you are trying to protect against. A common acronym used among security professionals is CIA, which stands for confidentiality, integrity, and availability.

• Confidentiality is primarily associated with protecting the assets that would cause the client harm if they were disclosed—think patient records in a hospital setting or credit card numbers on a major retail site.
• Integrity is about ensuring data remain accurate and unaltered—patient prescription information is a good example.
• Availability is about ensuring that business-critical assets are accessible when needed—consider the importance of medical personnel knowing a patient's allergies.

To develop a plan that meets CIA objectives, Logicalis suggests organizations embrace two important truths: First, because cybercrime has proven to be a highly profitable venture, everyone has valuable information that criminals want. And second, eventually, every business will experience some sort of breach. Before designing and implementing security solutions to mitigate those risks, Logicalis suggests organizations partner with a solution provider experienced in security measures that can perform a vulnerability assessment to identify areas where the organization's attack surface can be reduced. Also helpful, the company says, is examining services like Logicalis' Managed Security offering which can help IT pros focus on their business rather than being distracted by varying degrees of cyber threats and related security posture changes.

"Businesses often put off creating comprehensive security solutions because they fear the price tag, but there's no need for that," says Jason Malacko, IT security expert forLogicalis US. "It's true that there is no silver bullet. Security is a process, not a product. People who want to find the 'one thing' that will protect their entire organization won't find that because it doesn't exist. That's because, with mobility and IoT, there is no single perimeter to protect anymore. Security is more complex than that, and it's our job as security experts to take that complexity out of the equation while helping our clients protect their digital assets as fully as possible. But that doesn't mean people have to deplete their budgets; the key is to match the solution to the client's actual—rather than perceived—business needs. No one should buy a $1,000 safe to protect a $100 bill."

Cybercrime is an insidious business; it happens in plain sight, avoids detection, and causes damage quickly. There are even cybercrime-as-a-service offerings available to criminals who lack the technical know-how to reap the big jackpots capable of totaling tens of millions of dollars. So, how do you prepare your organization to overcome an eventual attack? According to Logicalis, the solution begins by answering 10 important questions:

1. If you knew that your company was going to be breached tomorrow, what would you do differently today?
2. Has your company ever been breached? How do you know?
3. What assets am I protecting, what am I protecting them from (ie, theft, destruction, compromise), and who am I protecting them from (ie, cybercriminals or even insiders)?
4. What damage will we sustain if we are breached (ie, financial loss, reputation, regulatory fines, loss of competitive advantage)?
5. Have you moved beyond an "inside vs outside" perimeter-based approach to information security?
6. Does your IT security implementation match your business-centric security policies? Does it rely on written policies, technical controls, or both?
7. What is your security strategy for IoT (also known as "the Internet of threat")?
8. What is your security strategy for "anywhere, anytime, any device" mobility?
9. Do you have an incident response plan in place?
10. What is your remediation process? Can you recover lost data and prevent a similar attack from happening again?

Source: Logicalis US