A CEO's Guide to Security Compliance

Joe Carson, Director at Thycotic

A CEO's Guide to Security Compliance

A main concern for CEOs is knowing business is running smoothly. While sales and operations are top of mind, the security of the company needs the same awareness and care. While juggling many business functions, CEOs just don’t have the time to worry about small intricacies. New security breaches like ransomware make security a pressing concern for enterprises now than ever before.

With security experts in place, the IT staff needs to be trusted to make the infrastructure operate without data breaches. Without getting into the weeds, CEOs should know the company’s security processes and how to keep the business running without being breached. Here’s how CEOs can keep tabs of their security landscape without being entrenched in every time-consuming detail:

Train Individuals for Cyber Security

Cyber security awareness training should be at the top of the agenda. Security awareness training is one of the most effective ways of reducing a company's exposure to cyber security threats and increases both detection and incident response at the same time.

It is highly recommended that training starts at the top of the organization, working down. CEOs should appoint a cyber security ambassador within each department to assist in the detection and incident response for potential cyber security threats and risks. This helps expand the efficiency of any IT security team, while ensuring that there is someone in the organization who is accountable for implementing and maintaining cyber security measures.

Encourage Separate Passwords

Let’s face it. We’re all getting older and it becomes increasingly harder to memorize which one of our two to three go-to passwords we used for a certain login. Most likely, we use our same personal passwords for our work passwords. And when a very complex password is required, many employees revert to writing them down due to difficulty in remembering them. This leads to a possible external threat in which companies should continuously assess.

In an advanced threat, an attacker will spend a large amount of time researching a list of potential targets, gathering information about the organization’s structure, clients, etc. Employee social media activities will be monitored to extract information about the systems and forums favored by the user and any technology vulnerabilities assessed. Once a weakness is found, the next step the attacker will take is to breach the cyber security perimeter - the basic security most companies adopt - and gain access, which, for most attackers, is easily done. To avoid such an impact on business, CEOs should ask the CIO to implement a company-wide password change every so often and provide suitable training for employees on best practices for password choice.

Have a Small Access Circle

A CEO needs to implement the concept of “least privilege.” Least privilege means that the employee will only be granted access to the resources and applications they require to do their work and therefore do not have elevated privileges that could result in a cyber catastrophe. Take a quick count of who has privilege to what access and redistribute access rights, if needed.

Most companies need to invest more to detect when employees inside the secured perimeter are potentially engaging in malicious activities and reduce the breach “dwell time.” It’s an average of 205 days before an attack is detected; a time in which the attacker has gained access, avoided detection, taken information and left without a trace.

Be Deceptive and Unpredictable

Having predictable security procedures can make the company vulnerable. Establish a mindset with your staff in which systems are updated and assessed on an adhoc basis. Most organizations look to automation to help assist in their cyber security defenses. But for many, this lends itself to predictability.

Scans are run at the same time every week, patches take place once per month and assessments are made once per quarter (or even per year). As the CEO, be one step ahead of the hackers and randomize your security activity. This will increase the company’s capability in detecting active and potential cyber-attacks and breaches.

[Image courtesy of freedooom at FreeDigitalPhotos.net]


About the Author

Joe Carson is a cyber security professional with 20+ years’ experience in enterprise security & infrastructure. Joseph is a Certified Information Systems Security Professional (CISSP). An active member of the cyber security community, Joe is a Director at Thycotic.