CIOReview | | 19 DECEMBER - JANUARYI think security folks should learn about databases, operating systems, hardware, configuration, and coding to understand how to secure them before becoming a cyber professionalcybercrime, it also exists to keep them out. You make it much easy for them if you don't secure your organization. Many businesses are utilizing technology such as AI and ML that allows them to be more efficient and automated today, but some firms still do not--either because they are unaware of it or because they do not want to spend money on it.Could you elaborate on some of the best practices businesses may use to improve their security?Establishing a governance and compliance structure is one of the greatest initiatives. I first began working in the IT business, and I found that many organizations lacked a clear standard operating procedure and framework in place to set that governance. The framework consists of standards, guidelines, and best practices to manage cybersecurity risk. That's why the government had to start regulating and enacting rules because 'big business' was not doing enough. Security has since been split into two categories: operations and governance and compliance, which helps to keep everything under check. The operational side is responsible for securing things that people use daily. In contrast, the GRC side is responsible for ensuring that you are following the rules and complying with data privacy and data protection legislation to keep the bad guys out. When it comes to identifying enterprise security solution providers, how do you get their attention? Is there a procedure for evaluating their value prop and partnering with them? Before choosing the right vendor, we need to understand where our organization is and where we want to be. We must ensure that our roadmap is realistic and we are aware of the regulatory compliance and where our data is flowing. Some businesses operate on-premise, others have moved to the cloud, and many enable employees to use their own devices (bring your own device). This is how company data is transferred to non-company-owned devices, posing new issues. We need to look for the correct tool; otherwise, chatting with vendors may take you down a rabbit hole. Any piece of advice there for upcoming professionals in the field?I would advise aspiring professionals to be well-versed in a few areas, particularly the business side. Unfortunately, I've seen many professionals become so engrossed in technology that they cannot apply it to the business side. To understand where the difficulty lies, I believe that every CSO should have a comprehensive understanding of business and technology--how it operates, where data flows, and the infrastructure. Another key consideration is to be aware of what is on the horizon regarding data privacy and protection. They must ensure that their organization complies with state-specific data privacy and data protection laws. After they've grasped those concepts, what are the company's risk appetite and business strategy? Finally, they must ensure that their IT security program is aligned with their business objectives. Because if any company wants to use your security plan, you must be able to justify it in terms of business operations, financial aspects, and regulatory compliance. These points will be very useful to be successful in the industry.
< Page 9 | Page 11 >