NOVEMBER 2023 9GOVERNMENT CIO OUTLOOKOur work as security professionals and leaders does not stop at implementing technical controls from a strict technological perspective. Our role is not only to implement the basics. Our role is not to have a single focus. Our role is to not work within technology and ignore the business aspect. We can no longer afford to have a technology-focused mindset. The security professional's mindset has expanded and become more multifaceted. We must cover technical controls. We must build relationships with all branches of the business. We need to build a culture of security and privacy. We must cultivate relationships with all the other stakeholders to get support. We must implement administrative controls and physical controls. We must stay up to date with the changes in the infosec landscape and the regulations governing data. We must be risk-averse and speak the language of the business. We must market information security. We must implement and monitor security best practices and data protection standards. We must build a holistic program and promote it within the organization to secure the funding, support, and resources needed for it to succeed. I often discuss the important aspects of a successful information security and data privacy program with others, and the first words coming out of my mouth usually are, "We need to go back to the basics". Yes, it is important to cover your basic security controls to protect assets, technology, and data. The basics set organizations up for successful implementation of information security program because it is the key groundwork for everything else that follows. For example, we can't implement a good security awareness program if the users don't have multifactor authentication for sensitive systems and data. We can't talk about business continuity planning if we don't have a backup strategy and a disaster recovery strategy. I am not going to give you a round map on how to implement an information security program or tell you what comes first when conserving a data privacy program. What I am going to tell you is that these programs are a team sport. The days of everyone working in silos are gone. We need a collaborative approach between technology and the business to achieve the organization's goal in the easiest, streamlined, innovative and secure way possible. Risks are always going to be present; the key is managing those risks to minimize incidents and maximize resiliency. At the end of the day, our role as security professionals is to enable business processes and reduce risk. And the role of the business is to support information security and data privacy initiatives and provide at least the minimal resources needed to accomplish the strategic goals and objectives set forth by the organization. One group can't exist without the other and one group can't succeed without the other. Finally, I would like to urge information security and privacy professionals to work with the business and to relay risk in business terms. In addition, it is essential that the business support our information security and privacy professionals and provide them the resources that they need. At the end of the day, if we win, we all win, and if we lose, we all lose. With the complexity of technology and the massive amounts of data collected and processed every day, local government evolved how it acquires, implements, and monitors technology solutions
< Page 8 | Page 10 >