Security is a core competency that businesses of all sizes today must master. Companies not only have to have effective safeguards against security breaches and attacks but must also build resiliency into their operations to allow a company to take a hit and bounce back. Security can be considered a “shock absorber” to help businesses absorb a hit and then continue forward.
One of the primary challenges noted during the Power Hour presentation is educating people both inside and outside the organization on the importance of maintaining a secure environment, as well as what steps to take to reduce the impact of a cyber-breach.
“We invest a lot in our awareness program, both from a training perspective, but also from an information exchange perspective to try and help people understand what the potential risks are and how they can help us mitigate those risks,” explains Tom Kuczynski, CIO at the District of Columbia Water and Sewer Authority, who participated in the webcast. “That’s actually helped us create some greater awareness.”
Stephen Webster, CTO at MRE Consulting, Ltd., echoed those thoughts, noting that his concerns go beyond the physical organization to the companies that are part of the consultancy’s client base.” We have a lot of distributed people out in the field at client sites, so we must rely on a very decentralized infrastructure to protect ourselves from cybersecurity events.”
Since every client’s needs and operating structure is different, there is always some worry that the company’s consultants are following established processes. “Are they making the right decisions? Are they trying to circumvent something in the heat of the moment to get something done for a client?” Webster notes.
Some key points raised during the session, moderated by Bob Bragdon, Publisher of CSO.com:
- Customers and clients are becoming more concerned about security and potential risks. There is more scrutiny on the security aspects of a contract or engagement. As a result, clients are pushing more compliance-related mandates onto suppliers and partners.
- Business managers and boards are more cyber-savvy. There are a lot more conversations and recognition of what the threats are, how they can impact the company and affect clients downstream.
- Reputational risks associated with cyber-attacks are a rising concern. Once information concerning a breach is released to the public a company’s reputation is impacted and that can be very hard to fix. A breach “affects our reputation, affects our ability to deliver for our clients and, depending upon the nature of the breach, it may cost us business or eliminate our ability to do any future work with a client,” explains CTO Stephen Webster.
Can a company be totally prepared to avoid or even bounce back from a cyber-incident? Unfortunately, the answer in most cases is no, admitted the IT leadership panel.
“We have protocols in place and we’ve got things that are designed into our process,” says CIO Tom Kuczynski. But, the dynamics may change after an incident is discovered and people start asking how and why it happened. “We’re prepared, but I hesitate to say we’re well-prepared,” he points out.
The best you can do is to be as prepared as possible today, but realize the world changes every day and you therefore must constantly refine the process, presenters advised.
If you’re interested in participating in virtual sessions like this and others that target strategic IT issues or would like to learn more about the CIO Executive Council, please contact us.