February 6, 2018
IT Leadership Meeting Recap: IT Security & Risk: CyberSecurity
Security in an organization can be costly in dollars and resources, which is why it can sometimes be put on the backburner. However, it is something that should be made a priority in all organizations, no matter the size. In our discussion during last Friday's IT Leadership group meeting, David Young, Director of Information Security at Medica, and Sarah Engstrom, CISO & Director of Productivity at CHS, shared their experiences surrounding the topic IT Security and Risk: CyberSecurity.
To start off the conversation, they walked through the security threat model, which helps to identify potential threats within an organization weighing the likelihood of risk vs impact. This model helps an organization understand who may be targeting their data and what they are after. Once this has been established, an organization can determine which threats need to be constantly monitored and how to best allocate their time and resources. Among other steps, following the security threat model is just one way to improve security within your organization.
Establishing a framework is crucial when defining policies and procedures around the implementation and continuous management of security. Not all frameworks are equal; therefore, what works for one organization won't necessarily work for another. It's important to find the framework that best fits your organization's size, complexity, and budget.
In order for this framework to work as intended, it's important to have a board that includes security as a high priority agenda item. Security is everyone's responsibility and needs to be driven from the top of an organization. Hearing experiences and examples from other organizations will help raise awareness of the issue and understand what is making security risks real.
Security checks and behavioral management should be an ongoing process. This could include strengthening access control, internal phishing simulations, updating patches, and making sure systems are up to date. Educating employees is not only a great place to start, but is something that an organization can act on. The phrase, "it will never happen to us" is too commonly used among organizations, when in reality it could just be a click away.
In what ways are you utilizing security within your organization?