Orchestrating cybersecurity in business : who is in charge ?
Mis à jour : il y a 19 heures
"Cybersecurity, yes, hold on, I'll get you the IT manager !"
This phrase is probably the one most heard from our sales force. And yet it is so reductive...
I'm pushing open doors? Well, think again, this error, which consists of seeing the IT manager as the person responsible for digital security, is still widespread, including within digital companies by nature (software publishers) and in the minds of young employees.
Some food for thought :
All the digital bricks involved in one way or another in a company's activity are potentially (and probably) carrying risks.
Your digital operating infrastructure : you are a law firm, your digital storage and communication resources are known risks. Here it is your IT team, indeed, often outsourced, that is in charge. By the way, is your IT provider an expert in cyber security?
Your digital manufacturing infrastructure : yes, Industry 4.0 is here. Your manufacturing line is starting to incorporate some connected objects and your equipment is generating data that your production engineers are happy with. Is this all in the hands of the IT department? The same one that manages the word processor updates for the administration department? Quite a big difference, so maybe the production manager doesn't tell him much about these new sensors integrated into the equipment that allow for the fine-tuning of the remote control of the line...
Your software products : whether it is complete software or just a few lines embedded in the device you are marketing, this software code carries risks depending on its design and implementation. SQL injection and input validation? It's not the infrastructure manager who will worry about it. So here, the software manager, or the product owners, depending on your organisation, must address the issue. The material impact of an attack might be on your customers, but the reputational and therefore financial impact will be on you...
Your employees : what do you mean they are not a digital brick? Using personal computer equipment to work, disclosing information on professional or other social networks, storing professional documents on dubious clouds, clicking on phishing e-mails, etc. The IT manager can't control everything, so your employees are an unavoidable 'shadow IT' for which the IT department can't take responsibility. So here we could involve the Quality department? Or for smaller organisations the HR department? I'm only scratching the surface of the complexity of the digital security landscape here. So how do we get these multiple managers involved who often have a lot of work to do and are not specialists in cyber security?
The right idea is to give your company a tool and a role.
The tool : the Information System Security Policy (ISSP). This document makes it possible to build a global strategy for securing the company's practices and to implement it everywhere.
The role : the Information System Security Manager (ISSM). The mission of this expert consists of steering the company's digital security in its entirety, in collaboration with the IT or infrastructure manager, in collaboration with the software managers, in collaboration with the Quality and HR departments, etc. The CISO will be able to (have to) design an ISP and ensure that it is applied on a daily basis. Employing this expert full-time is often impossible or simply not necessary for VSEs and many SMEs. The outsourced, time-sharing CISO is the solution. Since its creation, CyberSecura has been offering shared time support services, thus supporting its vision that this role, which is part of a long-term, cross-functional approach, is the right way to improve the digital security of any company, large or small.
Would you like to be informed of our news and receive our latest blog articles directly in your mailbox ? Subscribe to our monthly newsletter !
Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!