Originally published by Digital Guardian.
By Ellen Zhang
The life of a CISO is a busy one and it can be easy for priorities to get lost in the shuffle. We’ve polled a group of CISOs and other security professionals to find out what CISOs should be aware of but likely aren’t.
CISO AWARENESS: 21 SECURITY PROS & CISOS REVEAL WHAT CISOS SHOULD BE AWARE OF (BUT TYPICALLY AREN’T)
The role of the Chief Information Security Officer (CISO) is a complex one, requiring the ability to regularly interface not only with other security professionals, but executives spanning every facet of the organization. CISOs are typically responsible for evaluating and implementing the right security tools, within budget, while ensuring that those solutions are properly consolidated (eliminating redundancies and wasteful spend) and are adequate to meet the company’s evolving security needs. Additionally, as CISOs are often tasked with overseeing security awareness training, the ability to communicate with all levels of staff in non-technical jargon is key. Beyond implementing security tools and facilitating communication, though, CISOs oversee every facet of an organization’s security, mandating the ability to see the forest through the trees – acute awareness of both big picture and atomic-level risks, vulnerabilities, and security concerns is a must at all times. That’s where one of the biggest challenges lies for CISOs, and where the need for establishing an experienced, trusted, and reliable team becomes clear.
To gain some insight into common blind spots for CISOs and important considerations that CISOs should be aware of, but often aren’t, we reached out to a panel of CISOs and other security pros and asked them to answer this question:
“WHAT SHOULD CISOS BE AWARE OF THAT THEY’RE USUALLY NOT?”
Answer by Michael Hall
Michael Hall, DriveSavers Chief Information Security Officer, develops security protocols to handle critical data for corporations, government, and all DriveSavers customers. Hall has twenty-two years experience in data security and data recovery.
“If a storage device fails…”
Resulting in lost or corrupted digital data, few organizations have the internal resources to recover that data – especially in the case of physical damage or electromechanical failure. The device must be sent to a third-party data recovery vendor. Company-owned devices often hold security-sensitive electronically stored information (ESI), including critical intellectual property (IP), financial databases, accounting files, e-mail exchanges, customer records, PCI, PII and PHI. Most of the data recovery industry does not meet best practice standards to ensure data protection through cybersecurity; therefore, data recovery service providers must be classified as high-risk vendors. If an organization does not perform due diligence before engaging the services of a data recovery vendor, it runs the risk of a data breach that will result in major financial and reputational damage.