At CDW, we take a holistic approach to information security. As the company’s CISO, my philosophy is that information security is not a department; it’s a capability and a mindset that we need to have throughout the company. All of our coworkers need to be a part of it.
Any company’s information security program is only as strong as its weakest link. Everyone at CDW — from coworkers in cubicles to the executive boardroom — must be aware of the threats we face and the things they can do to help keep sensitive customer and partner information secure. If not, the entire company is vulnerable. A holistic approach revolves around an understanding that it’s not just technology, it’s not just process and it’s not just people — it’s a combination of all three elements.
To enable a holistic approach, we need more than just our information security team. We rely on all of our people to keep our information and resources secure. Everyone needs to understand that protecting critical business information and resources is a shared responsibility We take the time to train our coworkers to understand what data is important and needs to be protected. Then we test them to make sure they know, for example, what a phishing email is and how not to fall victim.
Our approach to information security has evolved over the past decade. If you think back 10 years ago, most companies’ general approach to security involved firewalls and anti-virus protection; that was pretty much it. As organizations became more connected to the world, information security breaches became more common and IT leaders started putting in more layers of protection.
I tell people all the time that the only sure way to stay safe is to unplug the network. But that’s not realistic, so we have to figure out how to put in the right controls to remain connected to our partners and customers, while protecting the things we need to protect.
The reality is, every company will be breached at some point. Thinking you can fully prevent it is a losing battle. We have to figure out how to a) slow attackers down; b) catch them quickly; c) limit what can be accessed; d) shut attacks down as quick as possible; and e) use what we learn to strengthen our defenses.
A Framework for Defense
At CDW, we follow the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. There are a lot of different frameworks out there. None of them is perfect, but they provide a structure to build processes upon, as well as a way to measure progress.
We decided to go with this framework because it’s pretty easy to follow and understand. NIST boiled it down to five basic pillars: identify, protect, detect, respond and recover. It describes in easily understandable terms how to break apart the work we need to do to keep our company safe. The NIST framework made it easy to map the measures we were taking under the framework for our executives and our board of directors.
It’s work that we were already doing — the framework just gives us a way to benchmark ourselves against other companies to see where we are and measure our improvement in each of the five pillars. It’s all part of our efforts to establish a holistic security program.