Technology vs Human Risks

Posted by jstan008 on

As a chief information security officer (CISO), my duties within a cybersecurity company includes developing plans and strategies to mitigate risks within the field. When it comes to developing these plans, there needs to be a certain budget for what funds should be used towards training or for technological maintenance. With the amount of error that can occur from within one’s own company, allocating most of the funds towards training future and current employees would be my priority within my company.

CISO’s Responsibilities


As the chief information security officer, it is crucial that I carry out certain functions within a company; specifically in overseeing information, cyber, and technology security by developing policies for organizations (What is a Ciso? chief information security officer). Most of these policies include developing ways to protect an organization’s assets, applications, technology, and their systems. We also have the duties of managing and educating not only business leaders but also employees about technology risks (chief information security officer). The training of current and future employees is one of the key factors for success within a cybersecurity organization; to help accomplish the goal of a stable and reputable company I will need to abide by the NIST framework.

NIST Framework

NIST refers to the agency that produces and distributes essential cybersecurity standards for information systems and companies (Everything Cisos need to know about NIST.). Regarding the safety of my company’s data, I believe that using the five core functions of the NIST framework is crucial to the technology aspect of the business. We need to Identify the data, assets, or systems that need protecting; Protect these items by implementing strong and efficient security measures to reduce risks; Detect incidents by having well thought out plans along with backups; Respond to attacks by utilizing response plans which will quickly eliminate threats, mitigate damages, or respond to breaches within the system; Recover from these events by designing a disaster recovery plan which will involve restoring any services or data lost or damaged, but also talk with the team about new strategies we could use to improve any of the above steps in preparation for any other threats (Everything Cisos need to know about NIST.).

Technology


Methods that I would implement into the company’s policy for risk management would focus on monitoring and protecting information within our technology. Having evaluations of systems numerous times throughout a specific timeframe would help mitigate potential crashes to any systems, but also to keep our systems up and available for consumers. Another method would be to utilize various forms of detection for our company. Having phishing, fraud, or data leakage detections coincides the NIST framework plan in bettering a company’s response time to cybersecurity dilemmas.

Allocating Funds


Although having excellent technology within a company is important, having more emphasis on the training of employees would hold more significance as a CISO. One reason being there are more risks that fall under an actual employee working for a company than with technology itself. For instance, there are risks for cybercrime within the company which can come from old employees or current employees that may be honing issues against our company; or employees may not be trained as efficiently as they could be especially if the company is big in that there are people delegated to train groups of intended employees (It security and the normalization of deviance). Human error can be the biggest downfall to an organization regardless of if it is deliberate or not. An instance where an employee may have been told the policies for securing information in one training session may forget a key detail later while still being employed at the company. This could lead to a data breach, loss of information, or any risk of that matter. With that being said, I still believe that technology should be allocated a good amount of funds to keep up with maintenance and for raising security measures for our systems. However, there should be more emphasis on the amount of training and the delivery tactics when recruiting new employees and throughout their time at the company.

Conclusion


In summary, my budget for the company as a chief information security officer would incorporate technological maintenance and upgrades for security purposes; however, training for employees will be the focus when allocating funds. Although technology is important, especially when trying to mitigate risks such as crashes or viruses within systems, there is a bigger fear for cybercrime within the company or for simple mistakes from employees that could have been avoided by reconstructing more beneficial training methods throughout the company. Technological devices can be as up to date with the newest devices for protecting software or stored data, but the value of that decreases when not all employees know how to use these devices within the workplace.

References


Chief information security officer – scadahacker.com. (n.d.). Retrieved April 6, 2023, from https://scadahacker.com/library/Documents/eBooks/CISO%20Council%20-%20CISO%20Handbook.pdf
What is a Ciso? chief information security officer. Cisco. (2022, December 7). Retrieved April 5, 2023, from https://www.cisco.com/c/en/us/products/security/what-is-ciso.html#~ciso-role-explained

Everything Cisos need to know about NIST. Security Intelligence. (2023, March 30). Retrieved April 8, 2023, from https://securityintelligence.com/articles/everything-cisos-know-nist/

It security and the normalization of deviance. Security Intelligence. (2020, March 20). Retrieved April 9, 2023, from https://securityintelligence.com/it-security-and-the-normalization-of-deviance/

Leave a Reply

Your email address will not be published. Required fields are marked *