The IT department is presumable responsible for all operations in the network infrastructure and when anything goes wrong, then they should be answera
The IT department is presumable responsible for all operations in the network infrastructure and when anything goes wrong, then they should be answerable. While this is true, there are some organizations that feel that having a cybersecurity department as a unit on its own would be much more effective.
Each department in the organization gets a yearly budget and thus the cybersecurity department will have its own, where they will be able to prioritize based on the levels of risks and threats in the cyber world.
A past study conducted in over 200 companies in Canada showed that those organizations that were stingy with the IT security budget suffered more cyberattacks since they did not have appropriate equipment and software to counter these intrusions. On the other hand, those companies that went all out in spending on their IT security team had fewer if no cyber intrusions. The team had the capacity to access the latest devices and software to protect crucial company information.
Training is a good way of ensuring that your cybersecurity team members are educated on latest techniques and approaches in cybercriminal.
It’s not all hardware
Buying devices and software for the IT department is a good measure, but is not enough to guarantee security from cyberattacks. Training your employees will go a long way in ensuring that they are aware of the cyber dangers lurking out there.
Cybersecurity is more that IT
The senior most level of management in an organization, mostly the Board in many, should be the first to understand the need for an independent cybersecurity department. The CISO should be the link between the board and the other employees in communicating issues to do with this department like the budget. The top management is responsible for the financial stability of the company as well as the cybersecurity.
Responsibilities of the Board
Companies intending to have and IPO must disclose crucial information for the government and the public, which includes cybercrime risks and exposures. These companies need to assess if the risk management systems put in place are sufficient and such issues will be considered by CSA when evaluating the issuer disclosure.
Canadian companies are expected by law to be accountable for any cybersecurity breach within their organization and should disclose such information. Fines of up to £ 100,000 for each violation.
CISO is a lonely person
A CISO is always seen as an enemy by his colleagues, both in top management and lower cadres. His responsibility include ensuring that whatever software is released into the market is ready for use and may stop the process if he feels something is amiss. The board on the other hand is pushing for quick action.
A CISO does not make executive decisions as his roles sometimes have conflict from various corners. All in all the CISO is trying to accomplish the role of cybersecurity which is to secure all operations in an organization, but shortcomings in the IT department still pose enough threat to cyberattacks.
In the perfect scenario
The CISO has full authority to act and make decisions with the full support of the Board. The CIO will also be of great influence to achieve safe and secure IT operations. There will be a specific budget for the department and everyone will strive to get the worth of their contribution.
To achieve this, training Board members to create awareness is on of bringing them on board. Engage a fulltime or part-time CISO depending on the size of the company.