In nearly every interview we conducted with technology leaders at the National CIO Review, executives mentioned the importance of security. From high-level planning to day-to-day objectives, company and data protection is a high priority for industry leaders. This objective is also one of the most visible ways to evaluate the success or failure of an executive leader, since a large data breach can leave long-lasting impressions that are difficult to shake. Even if security isn’t the only responsibility of a good CIO, its visibility, importance and demanding work often assume the lion’s share of leaders’ time. Given the seemingly never-ending deluge of security breaches and ransomware attacks that happen every year, technology executives face constant pressure to improve and maintain security standards.
Within the vast amount of security objectives and challenges, there is a blueprint for best practices that exists across industries. A good high-level mindset is a key ingredient in security strategies, one that has a great effect for multiple reasons. Collaboration – both with other business leaders in the organization and team members – can also lead to security success by ensuring that everyone at all levels is invested. Finally, the best leaders tailor security plans to their specific organizations, fine-tuning strategies to account for specific strengths, weaknesses or peculiarities. While it’s important to acknowledge that no security strategy is invulnerable, mindset, collaboration and specific approach form a high-level blueprint that allow companies to achieve as much security as possible.
Mindset: Prioritization Over Complacency
At the most fundamental levels of leadership, the best CIOs and CTOs place a premium on security processes and results. Some companies make this mindset a prerequisite for job consideration, since so many organizations rely heavily on technology infrastructure. Beth O’Rorke, CIO for Blue Cross Blue Shield of Massachusetts, told the National CIO Review about some of her security objectives. She said, “On the technology side we are doubling down on security. We have made dramatic steps forward to secure our foundation and continue to put key capabilities in place.” Other leaders – such as HMSHost’s Sarah Naqvi or OneAmerica’s Gene Berry – echoed this sentiment when they spoke to us. Security is a key concern for CIOs and CTOs regardless of industry and the best leaders always prioritize this objective.
Making security a priority is critically important because of the constant temptation of complacency. Christopher Mele, for the New York Times, argued that the constant pace of high-profile security breaches prompts apathy and a sense of inevitability among consumers. These individuals often fail to take steps to protect their data (like creating complex passwords or enabling two-factor authentication). The lessons in this article – that data breaches will only increase in frequency if apathy continues – apply to technology leaders as well as consumers. It isn’t enough to trust that existing security measures are enough, or that one’s company can survive a lower-level data breach. Leaders should constantly test their online protections and do everything possible to ensure maximum security.
Indeed, the prevalence of security breaches should provide a powerful motivation for leaders who hope to avoid being the next high-profile victim of a ransomware or data breach attack. No executive wants to be accused of not taking the necessary steps in the aftermath of a security attack, and prioritizing information security from the beginning of one’s tenure allows CIOs and CTOs to avoid even the appearance of lax leadership.
As a starting point then, technology leaders should approach security with a mindset of prioritization and consistent effort. This approach enables CIOs and CTOs to deploy resources and develop long-term plans from the beginning of their tenures. Carl S. Young argued for the Harvard Business Review that companies who lack a single-minded vision often showcase the risks of less than maximum effort in this area. He claimed that many organizations prioritize convenience over security, leaving themselves vulnerable in key areas. By prioritizing security at all levels, technology leaders can prepare their organizations for a variety of threats.
The second component of a good blueprint for security strategy is to promote collaboration as much as possible, from IT team members to lines of business leaders. This strategy flows directly from strong prioritization, since CIOs and CTOs who make security a central function of their jobs are likely to communication this vision to both their specific teams and peers at the C-level. Convincing people across all functions and levels to buy in to a security-focused mindset may be easier at smaller companies than at large organizations, but this approach is vital to ensuring optimal security everywhere.
Ensuring that IT team members buy into security prioritization should be easy for good leaders if they articulate their strategy consistently and well. For many, motivation starts at the hiring level. Marty Smith, CIO of GreenSky, discussed some of his specific hiring measures when he spoke with the National CIO Review. He told us, “we developed an apprenticeship program for security analysts in which new hires work a two-year program, achieve certain milestones, and attain certain incentive plans,” continuing, “At GreenSky, we look for people who want to make a difference[.]” Technology leaders need to make sure their employees are fully on board at all times, so a failure to motivate internal teams will make good security measures almost impossible to implement at other levels.
As important as it is to make sure that IT teams fully invest in strategic visions, the best technology leaders strive to do the same with business leaders and strategists. Young argued in his article that “In the event of a data breach, the IT department is usually blamed for failing to control the security of the organization’s information, when in fact the prevailing culture throughout the organization has undermined IT’s risk-management efforts.” Situations where security measures fall on deaf ears are unsustainable: businesses have too much to lose by data breaches to make only IT teams responsible for both internal and external threats. However, companies with better collaboration will be more secure than those who try to make complete security the goal of only one team.
Good communication skills are essential to this vision of security collaboration. Secure networks and data are vital for every company’s success and making the protection of company assets a priority for everyone will ensure maximum effort and engagement. The best technology leaders can communicate with a variety of other professionals within their organizations and clarity, frankness and humility are essential. Randy Franklin, for the Enterprisers Project, argued that “The ability to handle those conversations well and use them as educational moments sets the tone of how your company’s security policy is viewed and internalized by your employees.” Good security requires strong teamwork and it is incumbent on both technology and business leaders to build and foster collaboration.
Attention to Detail
While prioritization and collaboration toward security goals will work at nearly every company, many situations demand more specialized strategies and approaches. Every company is different, and the best technology leaders tailor their plans to account for job-specific variances. From accounting for a lack of resources to employee demographics, executives face many different scenarios with vastly different demands.
Small organizations, for example, often face unique security challenges because of budgeting and workforces. For these companies, or any organization with limited resources, prioritizing processes and results allows CIOs and CTOs to stay ahead of the most pressing challenges. Even if it’s not technically feasible to hit every security goal, technology leaders can still make sure that they prepare for the most likely threats or guard the most vulnerable weaknesses. Though prioritization is always a good strategy regardless of organizational size, it is critically important for companies with fewer resources.
Leaders may also have to make security decisions based on the demographics of their workers. Sarah Green Carmichael wrote an article for the Harvard Business Review suggesting that younger workers, ironically, carry their own set of security concerns. Even more surprisingly, she also noted that IT workers are sometimes notoriously bad at following security rules within companies. While the strategy of collaboration can solve many of these problems, technology leaders also need to take age and function into consideration when formulating security plans. Obstacles such as these, that may vary in severity from company to company, dictate that CIOs and CTOs take the ideals of mindset and collaboration and then fine tune them to their specific environments.
Perhaps the best way to align security objectives with resources and employees is to make sure to assign attainable Key Performance Indicators (KPI). Sean Catlett argued as much for the Enterprisers Project. Instead of trying to protect an organization from every conceivable outside threat, he writes, technology leaders should focus on the available resources and initiatives. In his words, “Security optimization and measurable KPIs can help organizations make enterprise security radically stronger, simpler, less costly, and more accountable.” This approach is particularly valuable in companies with a limited workforce or a low security budget. By focusing on immediate, attainable goals in addition to long-term objectives, CIOs set themselves up for the best possible outcomes.
In some ways, it’s easy to understand why many people are ambivalent or even apathetic toward security risks. Data security is a constant arms race and it’s inevitable that threats will sometimes break through even sophisticated defenses. In many cases, even the best IT teams cannot provide perfect standards of protection. Total and complete security – the ideal for many – is ultimately impossible. With this information in mind, many are content to assume that breaches and hacks are simply a reality of doing business in the 21st century.
As prevalent as data breaches are, CIOs don’t have the luxury of succumbing to what many see as inevitable. Even if they can’t completely eliminate security risks, the best leaders can still achieve remarkable levels of security. From mindset, to collaboration to ensuring that resources are allocated appropriately, each step of a good security strategy demands precision from leadership.
Of course, it’s important to point out that leaders could follow every step on this process and still end up on the front page of a technology publication as the latest notable victim. As any good CIO will reiterate, there is no such thing as a perfect or foolproof strategy. Every firewall has vulnerabilities, and everyone is subject to human error. Regardless of all these realities though, there are clearly leaders who have found success in their strategy and who have made sure that their companies are as well-insulated from an outside attack as possible. Mindset, collaboration and attention to detail provide a good starting point for security defenses and show how the best technology leaders protect their companies from risk.