Secure by choice not by chance
I was driving recently and when I pulled up at the traffic lights, I noticed the truck in front of me had a sticker that read ‘safe by choice, not by chance’. It spoke to me as I thought about how many of my clients say to me ‘oh we have never had a big breach – we are so fortunate’. Being more secure doesn’t have to be good fortune. I loved the reminder on the truck that we make a choice about our security. We make a choice to have a dedicated security function. We make a choice to invest in having a secure culture, secure processes and secure systems. We make a choice to use security-focussed language in our every-day vernacular.
When I work with an organisation, often they need a leader because they had a breach or are responding to an audit. Sometimes a regulation has changed or the board demands a security figure-head be hired. Making the choice to respond to this trigger for hiring a leader is good. However, making the choice to hire before you are under pressure to do so is even better.
Within your organisation, you may have some talented technical professionals who are ‘managing’ the security tools and processes for you. As a CIO, you may own the security policy and be the voice of security for the business. This can be a challenge given the other plates you are spinning. If you make the choice now to put a dedicated leader in place who will plan your security future, take proactive action to uplift security maturity and influence behaviour change in your employee community, you are much more likely to lower your information security risk.
I’m not saying that just because you have a leader you won’t be breached. Sometimes this is out of our control. What I am saying is that making a choice to invest in a security leader can only decrease the likelihood and impact of a security event and increase your resilience. Is your organisation secure by choice or by chance?