A CISO's life is a lonely one, particularly if you work in the public sector, which accounted for 22% of last year's data leaks. It's an environment where sensitive data constantly flows between different organisations through people with stressful jobs: a hacker's goldmine.
Data leaks at municipalities and their affiliates have dire consequences for many people, yet whenever it happens people are quick to point to the CISO as the one responsible. For all the times a CISO saves a company from data leaks, reputational damage and public humiliation, you usually get attention only when things go wrong.
Asking your colleagues for feedback can therefore be a fruitless undertaking: they barely know what it is you do exactly. That's why we created an easy checklist for you, so you can quickly gauge the quality of the (online) security in your organisation.
Below are 9 questions. The most effective CISO is the one that answers "yes" to all of them!
1. Are you proactively scouring for possible cyber attacks?
To catch a hacker, one must think like one. All a hacker needs to succeed is one tiny vulnerability in your organisation.
Using penetration testing, simulations and by monitoring data traffic you can detect your weak spots before a hacker does.
2. Are you aware of the dangers of regular email?
Older, well known email systems are cheaper and people are used to them. It's the classic trap short term thinkers tend to walk right into. Today's email solution can be tomorrow's email problem, so don't be a "security Scrooge" by ignoring new players and products as they enter the market. Investing in newer, more advanced technology will always prove cheaper than sticking with cheap email solutions and paying the price of a data leak.
3. Is encryption your priority?
Whenever you leave home, you no doubt lock your front door. It begs the question: do you apply the same level of security to sensitive emails?
The occasional CISO these days still doesn't prioritise encryption, enabling hackers as a result. Encryption allows you to send data securely, while making sure it arrives at the intended recipient. Don't be the CISO to let this one slip by..
4. Are you putting online security on the agenda?
Is your organisation's leadership fully aware of the dangers of everyday internet use? It's a CISO's responsibility to make sure they are. Their informedness dictates policy, so it's up to you to make online security a priority for them.
5. Are you GDPR compliant?
This should be a no-brainer. GDPR exists to protect your data and the people using it. Ignoring GDPR is inviting trouble to knock on your door.
By incorporating GDPR in your company policy, you prevent unnecessary fines, but most importantly you make it incredibly difficult for hackers to steal your data.
6. Have you accounted for all the humans?
Human error causes most of the data leaks. Accidentally sending an email to the wrong person, sending the wrong file or mistaking "cc" for "bcc" are just a few ways in which a split second mistake can have disastrous consequences.
Since no human being can fully focus on security all day long, it's up to the CISO to make sure the IT security in place actually accounts for all the humans using it. Ask yourself if your co-workers are prompted by notifications, verifications and authentications whenever they should be, or if perhaps they could use an extra reminder every now and then. That extra reminder could mean a world of difference.
7. Is your IT solution easy to use?
Does everyone in your organisation know how to use their computer and the software on it? If not, you have a problem. For an IT solution to be effective, it needs to be easy, for everyone.
As you probably know, it's easy to overestimate people's computer skills. One proven method to significantly lower your everyday risk is by choosing a solution that neatly integrates into people's existing work environments. A simple button in someone's Outlook or Gmail for instance is much safer and more effective than forcing people to use multiple apps and devices.
8. Are you not spending too much time on endless awareness trainings?
Every so often we come across a so called 'train wreck': that CISO who spends large chunks of their time sharing extensive powerpoint presentations with his co-workers. While creating awareness is a good thing, training sessions are not the way to do it, only costing you precious time.
Awareness only lingers when you're able to integrate it with people's daily work activities. For instance: instead of talking endlessly about the importance of two-factor authentication, you opt for an email solution that prompts people to actually use it, the very moment they need to. A proactive, user friendly interface that never tires is much more effective than any number of training exercises.
These days in particular, with working from home becoming mainstream and people relying on their own devices more than ever, it's important not to rely on the contents of this one powerpoint presentation people may or may not have been paying attention to.
9. Do you ever ask for help?
No one can single-handedly change an entire organisation, nor should anyone want to. As a CISO, you depend on others to achieve your goals as much as they depend on you. Don't be shy to ask for help, from the rest of the IT department, management or even the end users.
So, how did you score? Did you get all 9 out of 9, or is there still some work to be done? Whatever the outcome, we hope this simple checklist helps you prioritise the many tasks you face on any given day.
Looking for ways to make your life easier, while increasing your effectiveness as a CISO at the same time? Check out our free demo to discover an easy and effective way to fight data leaks!