A CFO told me today that he feels challenged because his VP of IT is “very sensitive to being too ‘Big Brother’ in his approach to security.” The CFO wants his VP of IT to increase cyber-security, “even if it means taking away some latitude for employees, etc.” Other times, CFOs explain that their VP of IT is overboard on security. What to do…
Is to differentiate between 1) Cyber-security changes the users will notice, such as making them change their passwords more often, vs. 2) Security changes that can be implemented without the user even noticing. Of course, #2 is the way to go. That way, the VP of IT and the CFO both win. Things are more secure, and the VP of IT doesn’t feel like he is getting in the way of business.
How strict you want your own VP of IT to be is part of your risk assessment. If your customers entrust sensitive information to you, and if your organization’s reputation will be tarnished if there is a breach, then those conditions dictate a more restrictive posture.
Please help spread the word that, as in #2 above, every organization should strongly consider implementing, first, the security controls that users won’t even notice.
Please post your comments below….