Do you want to avoid the fate of the Target CIO?

Let’s face it – the job of the CIO isn’t getting any easier and to add more pressure onto the plate we are seeing more and more “voluntary resignations” in the aftermath of security breaches like Target.  The retail giant made headlines after announcing that 110 million Americans were effected by a massive breach of it’s systems.

The resignation of the CIO followed shortly thereafter.  Fair? Hard to know what their internal dialogue was but loss of corporate data may just have become THE most serious threat to a credit union today!

Systems can be replaced and buildings rebuilt but the confidence and trust your members have in you may not be replaceable. Not to mention that cost of the breach, especially if not covered could cost your credit union everything.

No plan (system or network) is fail proof but there are lessons learned that can help strengthen your security position:

1. Go beyond compliance – Being compliant does not mean your credit union is secure. Credit unions should go beyond minimum compliance standards and undergo a variety of penetration tests several times a year.
2. Educate your C-level (and Board) – The responsibility of a breach has become personal with jobs being lost and accountability directed at leadership and boards. The C-team and Board need to insist on gaining a deeper knowledge of the threats and mitigation strategies.
3. Know your logs – Knowing how to manage and read your event logs is crucial to IT security. Today’s credit union CIO is deluged with log reports from firewalls, data leak prevention devices, IDS/IPS and ant-virus/spam scans. How are you keeping up with them? Most credit union’s don’t have a dedicated Information Security Office (ISO), which brings me to my next point.
4. Hire A CISO (Chief Information Security Officer) – Establishing an Information Security position – someone whose sole job is to monitor the security position of the credit union – should be high on the priority list for credit unions. Not only does it help to relieve the burden of the CIO but establishes a much needed separation of duties.  It also shows the rest of the credit union that Information Security is serious business.
5. Create an Incident Response Plan – Credit unions are required to have incident response plans and many do. The problem is that they are rarely tested to determine their effectiveness.
6. When a breach occurs – ALL energy goes to fixing the breach and stopping the bleeding.  And while this is definitely important for your technical team ) many times the communications plans are after thoughts.  What you tell your members and when you tell them can be just as important as securing your data.
7. Secure outside help – A huge mistake that many credit unions make is assuming they can handle the event themselves.
8. Not only is this lacking the recognition of how quickly these attacks can spread their resources thin but also doesn’t protect the credit union from the ultimate insider threat – a rogue IT person.
9. Account for Johari’s Window Quadrant 4  – What you Don’t Know You Don’t Know. – I’ve read the Target breach began with an HVAC contractor accessing a wireless network inside the corporate network. Where aren’t you looking or suspecting? Vendor access? Insider threat? Simple loss of a corporate cell phone or laptop.

Ultimately as a credit union CIO, your job is secure the infrastructure and lock up the data.  Using the steps above to map out a deliberate security strategy that is prioritized at the highest level. And while no system/network is 100% fault proof, knowledge is power! Without it, we stay behind the vulnerability curve forever.