Skip to main content

Featured

Protecting Employee Data is an Organization’s Legal Obligation or Is It?

In today’s world, countless organizations fall victim to data breaches that involve employee data. In 2014, I was engaged to lead the remediation efforts of a data breach for a Pennsylvania-based client.  Hackers gained access to the company’s employee payroll information containing the salaries, social security numbers and other Personal Identifying Information (PII) through an insecure email system. It was crucial to develop and execute a corporate security strategy along with the tactical tasks of remediating the breach.

During 2013 and in 2014, infamous cyberattacks resulting in significant data breaches occurred against notable companies such as Target Corporation, Home Depot, JP Morgan Chase, along with many others.

The legal repercussions from those events set off an avalanche of employee and customer lawsuits. Many banks subsequently filed suits against the afflicted organizations citing negligence and other allegations. Organizations did not view protecting employee data was…

CISO Complexity: A Role More Daunting Than Ever


The role of the CISO is more complex than ever. One major factor contributing to this CISO complexity is the growing number of regulatory compliance requirements with which organizations must comply. There are also industry-specific standards muddying the water. Financial services, for example, are heavily regulated in the U.S. and the European Union (EU). These regulations are rapidly changing, and it is very difficult for CISOs to keep up with all mandates.

CISOs are often confronted with organizational business units that simply accept risk instead of attempting to mitigate it with regulatory and security compliance. It is difficult to justify this problem to regulators who often see it as a black-or-white issue — either you’re in compliance or you are not. CISOs have a tough time addressing this gap in the ever-changing regulatory environment.

Getting Executives on the Same Page

The heightened awareness of executives and boards of directors also contributes to CISO complexity. Through collaboration with other organizations, these executives are becoming more sensitive to the importance of security. They have seen other organizations suffer data breaches and heard of the masses losses, and they want to know that their own critical data is protected.


The seemingly insurmountable threat landscape adds even more complexity. Cybercriminals are becoming more sophisticated, and everything from state-sponsored attacks to organized criminal campaigns is occurring around the clock. Advanced defensive solutions can be helpful but may also be difficult to operate, adding yet another layer of difficulty.

Zooming In on the Big Picture

Complexity is not necessarily a bad thing, but understanding what causes it goes a long way toward dealing with it. CISOs must understand what creates complexity in their organizations. They should, for example, remove any tools that do not add value and delegate tasks to direct reports whenever possible.

Organizational complexity creates big obstacles that make it difficult to get things done. Executives and board directors often lack a realistic understanding of how information security and the related challenges actually affect their businesses. I’ve noticed that many leaders simply revert to past personal experiences to address security issues from a big picture perspective, yet they fail to understand or consider the consequences of that, especially as it relates to employees. It could result, for example, in inadequate processes and ambiguous role definitions.

What Drives CISO Complexity?

Security leaders must identify pockets of individual strength and weakness in their departments to effectively deal with these challenges. It is important to properly delegate work to individuals who can deal with delicate situations and also train others to develop the required skills. This enables the CISO’s staff to create and use networks within organizations to build relationships. A team effort is required to overcome poor processes, manage complexity and bridge organizations silos.

Organizations have varying degrees of complexity due to both internal and external factors. To top it all off, security staff members view complexity differently than executives. Those stakeholders must recognize how their staff deals with complexity and develop an understanding of what drives it.

Comments