You don’t need to look any further than the powerful computer in your hand to realize how much technology has connected our world. This device, connected to the internet and your organization’s data, has transformed how business is done. Unfortunately, it has also opened up a whole new realm of risk for your organization. If that same computer ends up in your competitor’s hands with no security measures in place, it could mean losing your competitive advantage and proprietary data. Or equally worse, being unable to conduct normal business operations because your data is inaccessible or missing.
If something as small as a smart phone has the potential to put your entire business in jeopardy, why do business leaders avoid analyzing and managing their information security risks? It is often because they don’t know where to start.
Utilize the following questions to begin assessing the current state of your business and where potential problem areas exist.
To what extent are your business goals reliant on data and technology?
In other words, what would be the consequences of a serious security incident in terms of lost revenues, customers, and investor confidence? All too often we take technology for granted. When it’s working, the technology and data goes relatively unnoticed. But when there’s a hiccup in the service, the result is annoyance at best and lost business at worst. Identify which of your critical operational processes rely on technology and data assets. Develop a plan to ensure reliable access to that data.
Does anyone know how many information and communications technology assets the company owns and whether they went missing?
It’s easier to notice when a laptop or desktop computer is stolen. But what about data stored on USB drives or in the cloud? There is great convenience available with the emergence of Box, Salesforce and other cloud-based Platform as a Service providers, but do you own the data when using these service providers? If your provider closed today, would you be able to access your data? Take an inventory of both physical assets, as well as data storage units in the cloud.
What safeguards have been established over systems connected to the internet to protect the organization from loss, damage and/or disclosure?
While wireless networks, mobile devices, and the Internet of Things (IoT) present great opportunities, they also introduce significant risk. What security processes are in place for the transmission and storage of data on the cloud? Have you connected your IoT devices to a separate network? Begin documenting which devices are connected to the internet and whether certain devices should be placed on a network separate from your critical data assets.
Do you conduct an information security risk assessment on a regular basis?
Information security is an evolving process since new data assets and threats develop and evolve with time. Ten years ago, an organization’s risk assessment likely focused on in-house servers, desktop computers, and maybe even fax machines. Today’s businesses need to assess the risks posed by cloud computing, mobile devices and even IoT devices. Implement a process and schedule to review your organization’s security and data landscape on a regular basis.
Is information security considered a priority or an afterthought during business strategy and planning activities?
Benefits and growth are the glamorous parts of a new strategic initiative. Unfortunately, the strategic planning process often glosses over the risk portion of the analysis. It’s often during the execution of the initiative when information security is given some thought, which can be too late. Build into your planning processes a way to analyze risk and determine the best way to manage the initiative’s information security risks.
If you were unsure how to answer any of these questions or want to learn more about this topic, you can access a recent AGH University webinar, Information security: A primer for business leaders. This webinar was tailored to business leaders who need an introduction to information security. The webinar ensures that you understand the importance of information security in the business context. More importantly, it provides resources and guidance on how to start tackling your information security risks. If you’d like additional information, or can’t wait to get started, you can contact Brian Johnson using the information below.
Senior Vice President
Brian leads the firm's technology services practice where he helps clients achieve measurable performance improvements through the delivery of specialized, competency-based information systems management, assurance, and advisory services. He has extensive experience in information security, network engineering, and solution development, with recognized specializations in governance, risk, control, and related consulting services.
Brian is a member of ISACA (previously known as the Information Systems Audit and Control Association), the Kansas Society of Certified Public Accountants (KSCPA), the American Institute of Certified Public Accountants (AICPA), the AICPA’s Information Management and Technology Assurance (IMTA) Section, and APICS (the Association for Operations Management). He is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC).
Brian is also a Certified Public Accountant (CPA) and a graduate of Wichita State University, where he earned a master's of accountancy and bachelor's in business administration.