Aman Raheja, Chief Information Security Officer, BMO Harris Bank, examined some of the weak links that may increase the likelihood that an organization falls victim to a severe cyberattack in his keynote presentation to Argyle's CISO membership at the 2017 Chief Information Security Officer Leadership Forum in Chicago on May 4. In his presentation, "The Weakest Link in Information Security Programs," Raheja explored how organizations can identify information security program improvement opportunities and act upon these opportunities time and time again.
According to Raheja, some of the biggest information security weak links in organizations include:
- Suppliers: Although suppliers can help an organization maintain its productivity and efficiency, a supplier that fails to protect sensitive data effectively may put its partners in danger.
- Management Support: "If you don't have management support, you won't have enough budget to spend to implement technical changes," Raheja noted.
- Budget: Many organizations possess limited time and resources relative to information security.
- Talent: An ongoing shortage of skilled cybersecurity professionals plagues organizations around the globe.
- Changing Technologies: Cloud solutions, the Internet of Things (IoT) and other state-of-the-art technologies create both opportunities and challenges for organizations, particularly when it comes to information security.
Although many organizations understand the importance of an information security program, few organizations possess the skills and tools needed to identify cyber threats effectively, Raheja indicated.
"Not every so-called 'weak link' in information security is worth pursuing. Most of us don't have infinite budgets, so we have to have some form of prioritization."
As such, organizations must establish information security priorities, or risk missing out on opportunities to mitigate the effects of cyberattacks.
"There is a subconscious aspect of information security that makes it easier for us to say, 'People are generally stupid, and that is why a [cybersecurity problem] happens," Raheja said. "Until that idea is fixed, [information security improvements] will be very hard."
A wide range of cybersecurity issues affect organizations, Raheja stated. However, some of these issues are more severe than others, but all must be identified to ensure an organization can build the right information strategy program.
"On a daily basis, we run into issues from a cybersecurity standpoint. Sometimes we raise our hand about these issues, and sometimes we don't," Raheja noted. "There is not a streamlined process to report cybersecurity issues."
At the same time, organizations must find ways to optimize the time and resources that are available, Raheja said. This often creates a challenge for organizations, especially during the development and deployment of an information security program.
"If you don't have management support, you won't have enough budget to spend to implement technical changes."
An organization that understands cyber threats can establish the right priorities for an information security program. Then, this organization can use its time and resources to learn about major cyber threats and find ways to minimize their impact, Raheja indicated.
"Not every so-called 'weak link' in information security is worth pursuing," indicated stated. "Most of us don't have infinite budgets, so we have to have some form of prioritization."
Organizations should consider the short- and long-term effects of cyber threats as they develop information security programs, Raheja suggested. By doing so, organizations can look at their current approach to information security and explore ways to transform cybersecurity weaknesses into strengths.
"Start thinking about how you strategize about what to do after you find weak links or you find out what to do – or what no to do – with information security," Raheja recommended.
Moreover, organizations should collect cybersecurity data, Raheja said. This will allow organizations to understand why cyberattacks may occur and take the necessary steps to resolve such problems.
Raheja also offered an information security framework that includes the following parts:
- Business Value: "If you don't apply the principle of using information security to provide value to the business, then it's a losing battle," Raheja said.
- Industry Benchmark: Organizations should establish cybersecurity goals and monitor their progress over time. This enables organizations to find out if their everyday efforts are successful and uncover the best ways to overcome cybersecurity problems consistently.
- Compliance Management: Many organizations face steep federal and/or corporate compliance guidelines relative to information security. Organizations need to learn about these compliance requirements and follow them closely; otherwise, organizations may receive violations as well as risk exposing their sensitive data to cybercriminals.
- Threat Management: The cyber threat landscape continues to evolve, and organizations should take a proactive approach to cybersecurity to ensure they can protect their sensitive information at all times.
Creating a successful information security plan may seem difficult, particularly for an organization with limited time and resources.
Conversely, organizations that spend some time evaluating information security weak links may be able to identify improvement opportunities. And as a result, these organizations can incorporate information security program enhancements and protect their sensitive information against myriad cyber threats for years to come.
Aman Raheja is the Chief Information Security Officer (CISO) for BMO Harris Bank, based in Chicago. He was the Deputy CISO at Express Scripts, a Fortune 25 company, for three years and has led Information Security for multiple businesses at CitiGroup. He has experience orchestrating and executing enterprise information risk management strategy. He has led transformations across multiple security domains that ensure compliance, employ prudent risk management and maintain business focus.