1. Determine the risk
There are dozens of risks that could disable or destroy your business, from market conflagrations, to terrorism, to natural disaster. Rarely do executives wring their hands and obsess over the "what ifs"; rather, they assess the risk of the disaster, plan mitigations, and purchase appropriate protections. IT security should be regarded with the same approach, recognizing the stakes, investigating mitigations, and employing external expertise and tools where appropriate.
2. Provide a voice of reason
With much of the discussion about security bordering on hysterics, the CIO can present a voice of reason. It may be tempting to stoke fears about security in order to capture a larger budget, but bringing calm, reasoned information to the discussion, grounded in your technical and organizational expertise, will build IT's credibility in the long run.
3. Identify and highlight the human factor
Based on recent front-page news headlines, it might be tempting to think that government agents cracking your encryption should be a top concern; however, the simple human factor is likely the largest risk your company is facing. Every IT organization tries, generally in vain, to highlight the risks the human factor presents to security, but rather than sending yet another stern warning, run a test that highlights the risks posed by simple "social engineering." Several companies have sent emails of unknown providence, asking users to click a link that then explains the risks presented by phishing attacks in a far more compelling manner.
4. Simplify security
Like many business problems, security is one where technical and human factors need to be considered. Early responses to security focused on the technical, creating complex and onerous password requirements that resulted in post-it notes plastered to end user PCs with lists of complex passwords. Rather than employing increasingly esoteric complexity requirements, consider using technologies that don't rely solely on complexity, like two-factor and biometric authentication. Even simply consolidating and eliminating access to unnecessary systems can reduce the complexity of your security environment.
5. Plan and execute
Your security plan will never be perfect, and will never cover every potential eventuality. Rather than waiting to develop the absolutely perfect plan, iteratively improve your security and regularly exercise your countermeasures and response plan. An imperfect plan backed by flexible and well-tested processes is better than an extra six months spent planning.
For many CIOs, modern IT security is more of a challenge than many of us ever imagined. However, bringing a calm and reasoned approach to the discussion, combined with disciplined planning and execution, and outside expertise as necessary, will help CIOs guide their companies through these current security challenges.
Patrick Gray works for a global Fortune 500 consulting and IT services company and is the author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. He has spent over a decade providing strategy consulting services to Fortune 500 and 1000 companies. Patrick can be reached at firstname.lastname@example.org, and you can follow his blog at www.itbswatch.com. All opinions are his and may not represent those of his employer.