Are you not only prepared for opportunities, but also as secure and protected as you think or as required?
On a recent return flight, my seatmate struck up the usual conversation; was Columbus home, and what did I do for a living. She was traveling to a conference and had never been to the area before. When I shared what I did, and that Columbus was home, she had a myriad of questions about what to do and where to go while she was in town for her conference. When I had answered all her questions regarding the area, she further inquired “how do you keep your company and clients safe with all the
Having spent the previous 3 days discussing incident response plans, and action items that IT teams and service providers need to implement, the answer came readily. I explained some of what we do to protect both internal systems, and those of our clients, adding that there’s always more that can, and should, be done. She chuckled and commented that trying to stay ahead of the bad guys seems like a tough job.
This conversation really made me think about discussions with customers, prospects, and industry peers, as well as fielded questions after speaking at conferences, and the OSCPA executive education summits. It is startling the number of people who assume, but don’t actually know, the status of their IT systems. They not only are unaware if they are positioned and prepared for opportunities, or changes, but are equally incognizant of threats to their IT environment, and ultimately to their organization.
Over the next few months, we will be highlighting how a business leader should be evaluating their IT department, or 3rd party provider, to validate that they are meeting expectations and that IT is aligned with their business goals.
IT is one of the most important assets for any organization and, if utilized correctly, can have the fastest effect on positive performance over any other asset in the organization. For this reason, it is imperative that business leaders understand the status of their IT assets and resources, even if they don’t completely like, nor understand it.
1. Define Your Expectations (performance, risk, threat tolerance, etc.)
As the organization’s leader, you (and your leadership team) are responsible for establishing goals, expectations, and threat tolerance for the organization. You can do this independently or, like many of our customers, complete this as part of an IT strategy or planning activity. Either way, if you want to be successful, this must be documented so that your internal or 3rd party resources understand your expectations for IT performance, security, protection, and compliance. Consider the following:
A. How important is IT to the organization?
B. How long can the organization be “off-line” before it has a critical negative impact to achieving your goals?
C. What are your expectations regarding risks to organizational productivity from system downtime?
D. What regulatory compliance responsibilities does the organization have, and how do you want those addressed?
E. What is your threat tolerance regarding cybersecurity protection, and the level of “formality” you are willing to implement
to secure and protect your organization from cyberthreats?
F. What is your strategy for IT asset lifecycle management?
G. As a leader, what will your oversight expectations be for the resources managing your IT systems?
The answers to these questions will set the expectations and allow you to guide your IT resources in the building and management of your IT environment. An environment that you depend upon to be aligned with your business goals, to help you achieve your success faster, and to secure and protect your organization’s productivity, data, systems, and users from cyber threats.
2. Regulatory Requirements
Every organization has some level of regulatory requirements - regardless of the industry. Ohio, along with every other state, has passed data protection laws that your organization is subject to follow. Should you suffer a data breach (from a hack, malware, or ransomware attack), these laws require that you follow various steps to not only remedy the situation, but to then notify those people identified as affected by your compromised data records, all within a prescribed time period. These laws cover your employees (present and past), as well as people that you serve, support, or otherwise conduct business (customers).
Some industries have more stringent requirements: the health care industry must be HIPAA compliant; organizations that process credit cards have PCI compliance responsibilities; government contractors must follow NIST regulations and compliance; the insurance industry recently enacted additional data protection rules and regulations to protect customers/clients/patient data information. Penalties for non-compliance can prove to be not only significant, but usually a lofty and unanticipated business expense. Remember that non-compliance exposes the organization to the potential of civil liability, non-reimbursement from your cyber insurance policy, not to mention damage to your reputation, as well as lost productivity, and the inability to access to your systems for what may be an extended period of time.
3. IT Roadmap
After identifying of your expectations, and taking into consideration your regulatory requirements, having an IT road map, or strategy plan, is an important step towards getting your IT assets and resources aligned with your business goals. This will help you understand and plan for your expenditures, and activities, necessary to have the IT function prepared to support the business mission, while protecting the organizational systems and data.
We build the base document for many of our clients, then work together to fill in the blanks, and add any notes regarding business changes so that IT is poised to support the business as it grows. In fact, one of our clients is undergoing new market expansion, so we worked together to develop a new office package that incorporates all of the IT requirements on a timeline which allows for system access that has been tested and ready for the opening of their new facility.
4. IT Assets/Inventory
One of the most overlooked, yet critical, components for any organization is a detailed inventory of your IT assets. Consider that almost 30% of data breaches are caused because IT assets are lost, stolen, not reported in a timely manner, or are not properly patched or secured. It is important, as leaders, that you require your IT resources to maintain an up-to-date inventory of all of your IT assets.
Though daunting at the outset, there are many ways that this information can be gathered and managed, and as leaders you should positioned to validate the existence of assets on the list. A number of our customers utilize our inventory information form to assist with financial audits, or to evaluate asset lifecycle/refresh programs. This is a valuable tool for many reasons; however, the main reason is simply that you can’t protect an asset that you don’t know exists.
5. Current Status – Risk Assessment
Now that you’ve identified your expectations and have an inventory of your assets, your organization needs to set a standard for evaluating the status of your IT environment as it relates to operations, exposures, and external threats.
At a minimum, an annual network security risk assessment should be completed to validate the efforts of the IT department, and other leadership, for certain performance activities. This also allows for the identification of both new and existing risks or exposures to your organization. Each assessment should have a defined remediation plan with easy to follow instructions for your team, or 3rd party provider, to guide them through to remediate the exposures and threats that are found in your environment.
Optimally, the assessments can profile your advancement from period to period to ensure that progress is being made to protect your organization. We provide these services for a variety of activities including a standard network risk assessment, compliance assessments for HIPAA, PCI and other regulatory requirements, and as needed, work with 3rd party companies for government contractors requiring NIST compliance.
A number of our current clients began their relationship with us by first engaging us to perform a risk assessment. Many then continued their partnership by building their road map and retaining us for additional services to supplement their internal team’s capabilities, and as a valued resource to help secure their organization.
This article covered the initial steps required of a business leader to ensure they are receiving the expected return on their investment for their IT assets and resources, whether they utilize internal resources or a third-party firm. Next month we will highlight important functions that your IT department should be providing, and the questions you should ask to validate their execution.
If you would like to learn more about developing your IT strategy, and how to get more from your IT resources and assets, please call Jason Long at 614.495.9658 to coordinate a time for us to begin the conversation. We look forward to helping you maximize the return on your IT investment.