InfoSec: CIO Paranoia Vs CEO Pragmatism

With the number of security threats escalating every passing day, information and its security has now become a complex question. The number of gadgets being used is increasing; connectivity is improving; and technology keeps getting better by the second. So, it is undoubtedly a subject which makes people restless and they have all the reasons to feel so. The advent of technology has multiplied the threat to information in businesses too. However, now the time has arrived for CIOs to decide what information security threats you need to attack and which are the ones that you need to live with. And according to me, that should be decided by the alignment with business.

There are various technologies available for information security, such as- virus protection, firewall, network protection, user name and password- just a few basics of information security. However, if you don’t take care of them, then they can destroy your network or IT architecture within no time. These ‘basics’ are a given, which one must follow and there shouldn’t be any compromise on it.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

Going beyond the first stage of security should be driven by the business needs. The paranoia with which CIOs look at information security these days, not even fifty percent of that is shared by the CEOs, despite the fact that they are the ones who should be more cautious about information security because at the end of the day it is his/her business.

CEOs have become more pragmatic as they know dealing with information in too much depth would come in the way of running the business efficiently, profitably and productively. They have one more assumption that ninety-five percent of employees are professionals and won’t harm business. And, then the question arises as to how much restriction should be put in place for that five percent to balance those ninety-five percent and that’s why CEOs tend to manage through exception.

CEOs are inclined to give employees more in terms of access and technology because they know that restricting access to them will be a disadvantage as a business, because employees will not be aware of the technological world around them. Also, your business will suffer more than what the employees will if one or two percent of them cause information security damage.

Having right and effective policies and procedures are better ways of tackling information security as opposed to controlling technology, and access of information from the employees. Hence, it would be prudent to have policies and procedures to tackle information security aspects within the organisation. Policies and ‘dos and don’ts’ should be clearly specified to the employees, and they need to be aware of what should be kept sealed and what can be kept open. Non-compliance of policies should be treated very seriously, as and when reported. Stringent action should be taken so as to send a message across and set an example. But, everyone should not be looked at with suspicion.

When it comes to CIOs they should very well know their role of securing information- which is actually only ten percent of their entire role. The other 90 percent is to give value of IT to the business of the company. They should not get overly paranoid because there will be expectation mismatch between what the CEO expects from them and what the CIO feels his job is. So, that should be properly aligned in order to avoid damage to a CIO’s personal career.