What Does CIA Have to Do with the CISO?

What Does CIA Have to Do with the CISO?

In the good old days, CISOs maintained a broad view of their security posture. If they paid special attention to any one area, it was to the processes and tools protecting the confidentiality of their data: preventative and detective security processes, and tools such as firewalls, anti-virus, anti-malware, intrusion detection/prevention, and monitoring solutions. These helped to ensure that sensitive data such as personally-identifiable information, health information, card payment data, and proprietary information stayed within the four walls of the organization.

Malicious users also had a different focus in those days. Their goal was breaching the environment through conventional approaches in order to exfiltrate data for glory, competitive advantage, or profit. Traditional security measures, though, along with a comprehensive set of policies and best practices, were typically enough to avoid most of the security-related events of the day and keep the bad guys at bay.

Sadly, times have changed.

A CISO can no longer afford to give preferential treatment to simply protecting the confidentiality of data. With the proliferation of cyber-attacks aimed at circumventing and compromising the integrity and availability of data, today’s CISO must evaluate and implement ways to protect all three areas of the CIA triad: Confidentiality, Integrity, and Availability. The problem? The bad guys know this, and are adjusting their approach to match—at an alarming rate.

In addition to implementing security controls to manage risk associated with the unauthorized disclosure of confidential information, immediate consideration should be given to how the integrity and availability of information can be maintained; not only for data within the organization, but also backups, mobile workforce data, and data stored in the cloud. CISOs must consider an integrated approach that incorporates confidentiality, integrity, and availability, and is seamless and integral to how the organization operates. This approach should be constructed so that security controls are layered and complementary while not leaving any gaps.

Even the U.S. government recognizes this as a major concern, as witnessed by recent government efforts to stem the flood of malicious acts such as ransomware. However, attacks like ransomware don’t play by traditional hacker rules. The new breed of cyber-criminal is looking for a quick payoff, and holding an organization’s data hostage has proven to be an effective way of making that a reality. In order to mitigate this risk, organizations must not only implement traditional security controls such as user awareness and training, but also employ contingency planning to ensure that compromised data or systems can be restored quickly. Remember, ransomware attackers’ only leverage is that they have the key to encrypted data that an organization needs in order to operate. Thus, having a secured, tested, and reliable source of backup data is the key to NOT being held hostage by ransomware.

This security control, though, like many others in the information security world, is only effective if it is implemented in a timely manner, i.e., before an incident occurs. This underscores the urgency of re-evaluating how security controls are working together within the organization and doing so in a proactive manner.

Its time for CISOs to reevaluate security controls.

So how can an organization integrate all three aspects of the CIA triad into a model that offers a trusted, reliable, and secure retention and recovery solution built for today’s threats?

The extensive backup and governance capabilities of Druva inSync provide the ideal approach for today’s concerned CISO. inSync is the industry’s first complete data protection package, offering a converged platform for ensuring the confidentiality, integrity, and availability of your sensitive business data. inSync enables organizations to reclaim control over their critical business data wherever it resides, and to:

  • Backup and recover endpoint and cloud data
  • Proactively monitor and identify at-rest data risks (e.g., PHI, PCI, PII)
  • Support mobile and cloud legal hold requests and eDiscovery system handoff
  • Prevent data breach when devices are lost or stolen
  • Access and share data anytime, anywhere, on any device

Ready to get started with the industry’s #1-ranked enterprise end-user data protection solution? Contact Druva today for an obligation-free trial of inSync.

For best practices and actionable advice for managing the rising risks of dispersed data across your organization, download our latest report below.


Sese Bennett

Sese Bennett

Sese Bennett is a Senior Manager with LBMC Information Security, LLC. In his role, Sese assists clients in developing, designing, and implementing solutions to identify and manage both business and technical risk in highly complex environments. His information security experience includes large Fortune 100 companies in the telecommunications space, health care organizations, governmental agencies, retail, software/hardware developers, manufacturing, and financial services. Sese has spent the last 8 years in an information security leadership role, most recently as the Chief Information Security Officer for the State of Tennessee. Sese has also served as Information Security Architect for Blue Cross Blue Shield of North Carolina and worked as a consultant for Sally Beauty Supply, Nieman Marcus, Lockheed Martin, and Johns Hopkins University. Certifications: Certified Information Systems Manager (CISM); Certified Information Systems Security Professional (CISSP)


Leave a reply

Your email address will not be published. Required fields are marked *