Pub. 14 2019-2020 Issue 1

WWW.NEBANKERS.ORG 20 You Are a Technology Company Changing Your Perspective on Technology and Business Jon Waldman, Partner, EVP of Information Security Consulting - SBS CyberSecurity, LLC A S YOUR ORGANIZATION IS REVIEWING ITS STRATEGIC PLANS , take a moment to evaluate the use of technology as a core component of your business. If most of you are being honest with yourselves, you will realize that your organization has shifted from performing a service for a customer and using technology to make that service more convenient to truly operating as a technology company that offers your customer a specific service. Look at it this way: if the majority of your customer inter- actions involve some component of technology, whether it’s through online banking, mobile payments, other mobile appli- cations, email, your internet-based telephones (VoIP), looking up customer information in your CRM or other software, you are a technology company. Another way to reality-check yourself is by asking this ques- tion: “If my organization threw all our technology out the door today, could we still do business effectively and really serve our customers?” The answer is surely a resounding “NO.” The reality of today’s business world is that nearly all organizations of any scale rely so heavily on technology that without it, we’d largely be unable to do business long-term. We often hear that technology, and especially information security, is regarded solely as an expense to your business’ bot- tom line, but it’s high time we change that perspective. Here are three (3) ways that tech companies think differently about their organization and security: 1. They understand the risk. 2. They test their people, processes and technology. 3. Their cybersecurity program starts at the top. Understand the Risk Being able to truly mitigate your risk starts first with how well you can understand and quantify risk. If you perform a risk assessment and your results only state that you have “low” risk, how do you know that’s right? How do you know what you need to do next? The primary job of a risk assessment is to help youmake deci- sions. When it comes to IT or Cybersecurity Risk Assessment, the output should provide youwith a clear understanding of what you have and how important that stuff is, how risky your stuff is, and where you should spend your next information security dollar to mitigate additional risk. Don’t just perform a risk assessment to check the box; really know and understand your risk so you can secure your organization more effectively. Test People, Process and Technology There are three (3) ways to protect your information: 1) People; 2) Processes; and 3) Technology. Your organizationmust implement risk-mitigating controls to protect your networks and customer information fromthose three categories. In turn, so that you are certain those controls are in place and working correctly, you must test the effectiveness of those controls. TECH TALK