By implementing an ongoing program with a multi-pronged approach involving business (as a first line of defence), Data Protection, Cyber and Information Security and Operational Risk to ensure that we meet the requirements from a regulatory as well as from a best practice standards point of view.
My advice would be for the new CISO to understand the existing business landscape and structures, to build relationships and get the necessary buy-in from key-stakeholders. This will greatly assist in obtaining the necessary support and confidence in their vision and future road-map. It will also greatly assist when there is purchasing and prioritisation that needs to be done, specifically where it involves purchasing of expensive systems or hardware.
I would describe a Strong Organisation Information Security Program to be one that constantly assesses risk, methods to mitigate those risks identified while keeping company data secure both across the company’s environment and that of third parties. This relies heavily on the pillars of the CIA triad (commonly known as the pillars of information security); Confidentiality, Integrity and Availability.
Yes. Proper data protection and security can be quite costly yet is very necessary. By outsourcing to a good third party you would be able to leverage off their skills and knowledge framework and have access to a broader community of experience.
Absolutely. I believe that it is best to involve your security teams upfront as this enables better buy-in from them and their input during the various stages of the product roadmap lifecycle.
In My View…
I am most proud of having had the opportunity to re-invent myself from being the Operational Head of an area to being a Data Privacy Manager. I am incredibly passionate about data protection and the holistic approach needed which involves both the cyber and information security aspects. I love enhancing my learning on the subject by continually researching and staying on top of new developments that impact this space, as well as ongoing involvement and opinion seeking from relevant security partners.
The implementation of the ability to share data and information across the various divisions within a large organisation, through safe and secure mechanisms whilst ensuring compliance with the necessary global regulations.
I see one of the greatest internal threats, at the moment, being data loss prevention. An organisation’s biggest threat is often from their own employees or approved third parties causing/committing data breaches via leakage to unauthorised parties. They have easier access to the data on demand, and that is why it is essential to have robust security safeguards in place, which ensures that the relevant access is given for the relevant purpose, and that continuous monitoring of this is in place.