IT security is a difficult issue, especially with the topic
gaining unprecedented exposure in the press as of late. Not only do you have to
worry about nefarious governments and freelance hackers, but now must add government
agencies like the NSA and even organized crime to the list of security
concerns. Budget discussions are no longer simple matters of dollars and cents,
but questions about the very security of your company’s proprietary, financial,
and customer information. So what are some pragmatic and quick steps you can
take to increase security? Here are some ideas:

the risk

There are dozens of risks that could disable or destroy your
business, from market conflagrations, to terrorism, to natural disaster. Rarely
do executives wring their hands and obsess over the “what ifs”; rather, they
assess the risk of the disaster, plan mitigations, and purchase appropriate
protections. IT security should be regarded with the same approach, recognizing
the stakes, investigating mitigations, and employing external expertise and
tools where appropriate.

Provide a
voice of reason

With much of the discussion about security bordering on
hysterics, the CIO can present a voice of reason. It may be tempting to stoke
fears about security in order to capture a larger budget, but bringing calm,
reasoned information to the discussion, grounded in your technical and
organizational expertise, will build IT’s credibility in the long run.

and highlight the human factor

Based on recent front-page news headlines, it might be
tempting to think that government agents cracking your encryption should be a
top concern; however, the simple human factor is likely the largest risk your
company is facing. Every IT organization tries, generally in vain, to highlight
the risks the human factor presents to security, but rather than sending yet
another stern warning, run a test that highlights the risks posed by simple
“social engineering.” Several companies have sent emails of unknown providence,
asking users to click a link that then explains the risks presented by phishing
attacks in a far more compelling manner.


Like many business problems, security is one where technical
and human factors need to be considered. Early responses to security focused on
the technical, creating complex and onerous password requirements that resulted
in post-it notes plastered to end user PCs with lists of complex passwords.
Rather than employing increasingly esoteric complexity requirements, consider
using technologies that don’t rely solely on complexity, like two-factor and
biometric authentication. Even simply consolidating and eliminating access to
unnecessary systems can reduce the complexity of your security environment.

Plan and execute

Your security plan will never be perfect, and will never
cover every potential eventuality. Rather than waiting to develop the
absolutely perfect plan, iteratively improve your security and regularly
exercise your countermeasures and response plan. An imperfect plan backed by
flexible and well-tested processes is better than an extra six months spent

For many CIOs, modern IT security is more of a challenge than
many of us ever imagined. However, bringing a calm and reasoned approach to the
discussion, combined with disciplined planning and execution, and outside
expertise as necessary, will help CIOs guide their companies through these
current security challenges.