Being a CIO isn't an easy job, not when hackers are coming at you from all sides trying to get their hands on that sweet, sweet data. It’s especially never-racking because one breach can turn a company from a respectable business to one that looks like it protects its information with a layer of Swiss cheese.
Here are four things keeping CIOs up at night – and ways to help them fall back asleep again – or at least into a light doze instead of staring at the ceiling waiting for a hacker to break through.
1. Dude, where's my data?
Andrew Hay, CISO for DataGravity, says one concern might seem a simple one: "the lack of data awareness that organizations have in terms of where information is stored and what type of sensitive information is accessible by people who shouldn't have it," he says.
But that's not just about where data lives. It's where copies of it are going, and the security of those systems. "Are [employees] uploading it to things like Drop Box or Google Docs because they work from home or the files are psyched with their personal servers instead of VPN?"
That's a big change from when companies once blocked things like Facebook and social media sites. "They thought nothing of using a proxy to blocking sites. That' gave way to allowing access during lunchtime. That gave way to 'we can't control that,'" Hay says. But that shouldn't give way to a company's data being flung all over the Internet even though "that model seems to be the model going forward, especially with regard to things like personal file sharing software and even IoT devices or personal consumer electronics that people bring in to make their work experience more enjoyable," he says.
2. People poisoning
"We do as much as we can do to make sure we're protecting our organizations, our business, our reputations," says Tristan Woods, CTO of Safeguard World International. But that doesn't mean much if hackers go after people. "The social engineering component is the biggest one because the people component is the hardest thing to control."
[Related: You’ve been hit with ransomware. Now what?]
The best way to stop that is again at the people point. Twice a year, Safeguard World International trains all employees from the CEO down. "We try to train people on how to be secure in their own lives because if you train people on how to look after their online identity and personal reputation outside of work, that's going to infiltrate to what they do inside work," he says.
3. Hack attacks
No one wants to be the next Target – or Home Depot or Anthem. That's why data breaches are a top concern for Joe Magrady, CIO of Vertafore.
That means a lot of different things beyond social engineering, including end-to-end encryption "across the value chain of the process," he says. Also important are traditional safeguard – for example, being current on malware and antiviruses, having firewalls current and optimized, and monitoring.
Monitoring is key, he says, because "it's not if. It's when." And when that hacker gets in? Your security team needs to know about it immediately and begin triage. "What is your ability to, as quick as you can, immediately detect what's going on? That speaks to just having the right log data and monitoring data and having the sophistication both from an operational perspective but also the analytic capability to correlate things and to filter out the noise and get at things sooner."
[Related: These CISOs explain why they got fired]
That's key if you work at an organization that has valuable data like someone's full medical history, which can get more on the black market than a credit card number, Hay says.
4. Data walk-off
What happens when talent leaves? Data might leave with it.
"A common thing we get is 'hey we just had this super talented employee who does some very key stuff for us join a competitor,'" says Rajesh Ram, co-founder and chief customer officer of Egnyte. "That's a very opened-ended challenge that we CIOs deal with."
This is at the center of a legal battle royale between Fit Bit and Jawbone.
Ideally, a company should have structure in place to be able to know what "everyone of your employees is working on in terms of access to corporate material," he says. A company should also have the capability to "manage that process and know exactly what they had access to and what they walked away with."
Also, can you remotely wipe or lock a phone or laptop? That's not just important for employees going to a competitor, but for when devices are lost or stolen. You need to be able to "nuke something when you know it's gone and never going to get it back," Ram says.