What the Chief Information Security Officer Wants the Executive to Know By Karen R. Pratt, Cyber Security Officer, Washington County
Know That Cybersecurity is a Team Sport •
•
•
First and foremost know that EVERYONE has a role. Even the individual that may not have access to a computer, but is an employee who let’s someone in, provides company information to someone on the telephone, or provides unauthorized access to equipment – all are part of the cybersecurity team. Know that you have a responsibility to secure the information the organization holds. Individuals in the organization generate, process and store information that other people want for malicious reasons. You have a role and knowing about cybersecurity is important in your organization. Know that the CISO is a partner (and at times a coach) and wants to help you move the organization forward and achieve the organizational goal.
Know What the Organization Has and Who Has Access to It •
Know what the organization has, the importance of it, and the impact should the organization lose it or it’s stolen. If you don’t know what you have and are not managing it, it’s a risk.
•
Know that the organization should inventory ALL computer software and hardware. This is a huge undertaking but know what you have and its purpose. You don’t know if you have lost something or don’t know if you are minimizing the risk, if you don’t know what you have to start with.
•
•
Know the kind of information the organization has (such financial records, contact information, address information, payroll information, social security, home addresses, phone numbers, email addresses personal and work, purchasing history), and what it will mean if it got in the hands of someone who wanted to do the organization harm. Know who has access to your data and equipment including your vendor community/3rd parties. Does your 3rd party
use a 4th party? Do you know where they are storing your data, who has access to it, how are they accessing it and how they are protecting it? •
Know what is critical to your operation. The more critical it is, the more important it is to protect it.
•
Know that NYS Technology Law requires municipalities to have a breach notification policy in place documenting procedures to take in the event there has been unauthorized access of private information compromising the security, confidentiality, or integrity of the information.
Know That You Need to Invest and Dedicate Resources Protection is not free. Yes, there are some services offered by state and federal partners that are, but not everything. You will need to dedicate funding and TIME for employee training – remember they are the gatekeeper. In many cases they are the one that is standing between securing organizational data and allowing malicious actor access to organizational data. Why not train them what to look for? You will need to invest in tools to scan for anomalies. You will need to invest to make sure your systems are updated so that malicious individuals do not take advantage of publicly known vulnerabilities. And there’s more tools, training and policies, but know that you will need to invest for the future of the organization.
Know Where You Are in Your Cyber Journey •
Vulnerability Assessment – if there’s one thing that all counties should be familiar with is the NCSR (National Cyber Security Review), and the CIS Top 18 Controls framework. Both are tools that are easy to use, and a great framework to adopt. It displays your cyber maturity and progress, strengths, weaknesses and areas of improvement.
•
Remember it’s a journey. The needle will move a little at time, but know that what you do today, will improve your cyber posture for tomorrow.
NYSAC News | www.nysac.org
47