By Traci Easton, Friend of the Firm

2016 will be the year that risk, compliance and IT work together to reduce exposure and increase the value of security investments, according to Solutions II. We specialize in assisting our clients with decreasing their cyber risks by identifying enhancements to their people, processes and technologies. "During a recent Solutions II Client Advisory Board, comprised of industry leaders, CIO’s and CISO’s, members shared their top two business challenges regarding security," said David Stone, Executive Vice President of Solutions II. These challenges are:

1) Educating of Senior Leaders and Board of Directors on the actual cost of reducing risks, not just being compliant with regulations.

2) Analyzing, selecting, implementing and maintaining the appropriate tools from a vast selection that are being rapidly released to the market.

It is extremely difficult in today’s quickly evolving market for C level executives to decide what to do first when it comes to securing their environment. We recommend to our clients that they do one simple action, which is actually quite a bold move: complete a true vulnerability test to see where and how someone could potentially attack them. The reason this is a bold move is because when the attack is successful, the IT staff will need to communicate the information to senior leadership which then requires immediate action to mitigate the risks. We have found that successful (controlled) attacks lead to a true understanding of what to do immediately as well as a plan for the future. Our belief is that there are very few actions organizations can take which can produce such immediate results, but telling your boss, his boss, the CEO and the Board that you have been breached is not something that many people are willing to do.

One of our clients shared that “this was the most telling activity they had taken related to security, ever.” They were compliant with all regulations but felt that they still were not secure, which prompted them to ask Solutions II to perform a controlled attack. When Solutions II's attack was successful, we discovered that the client had good tools and solid people preforming their jobs but lacked the necessary processes to sift through the information and “see” the attack real-time. We suggested and they immediately implement some new processes and then have Solutions II take their IT Security and Infrastructure teams through a new attack and “watch” what the reaction within their tools and processes. This process gave them an opportunity to “respond” in real time and significantly enhance their skills. The report to the Board was difficult to give, but the ability to show the difference between being compliant and being secure has helped fund their efforts.

“In addition to their top security challenges, our Client Advisory Board members also reinforced many of the observations the CISO study provided by IBM, one of our primary parters," said Stone. The IBM 2015 CISO study states that “security leaders are realizing that simply “checking the box” to address compliance requirements is no longer a sufficient strategy. Those further up the maturity curve are transforming their programs to be truly risk-based by using a sophisticated approach to determine risks and prioritize security investments.”

You can download a complimentary copy of the IBM 2015 CISO study here —>