IT leaders are perpetually on the hot seat to shore up their companies’ networks and infrastructure against increasingly aggressive cyber security threats.
With nearly 30 years in technology roles, the majority of those spent in the U.S. Air Force as a Logistics Systems Manager, R.C. Woodson can fairly effortlessly prepare a security strategy. But as seasoned executives know, the biggest liability within any organization is its people.
“Technology alone cannot solve information security issues,” Woodson explained. “I had to ensure other senior managers helped to make policy choices and enforce those policies to protect the value of the organization’s data.”
Woodson is the VP of IT at Doyon Limited, a 40-year old Alaska Native corporation that operates everything from oil field services, land and natural resource development to utility management, construction and tourism companies.
Cyber terrorists target Native corporations more frequently due to a perception as easy targets to infiltrate with greater vulnerabilities.
Federal regulatory pressure, customer requirements, and now, senior management expectations mandated the need for a more formalized and robust information security program to protect Doyon’s systems and assets.
Many of the corporation’s businesses and managers shy away from addressing information security it’s perceived as a technically complex task, Woodson continued.
“I had to educate other senior managers that implementing information security has more to do with management than with technology.”
Info-Tech Research Group helped Woodson open the necessary discussions and earn corporate buy-in.
The first step required categorizing and valuating the corporation’s assets, which naturally engaged each company’s senior management.
Information security requires money, staff and regulations. In order to design a security policy, Woodson had to collaborate with senior management across all the corporation’s individual companies to determine how much money needed to be invested and what size staff would be needed to design policy and regulate across the organization.
Additionally, Woodson was able to employ a Security Analyst for the first time in company history.
“Alignment can be a difficult area for security to get right when it’s trying to balance both regular IT and the business,” Woodson said. “We performed an accurate assessment of our current security operations and maturity levels which was well laid out by InfoTech. We had clear guidance on what to assess and how to assess it.”
Info-Tech helped Doyon analyze and integrate regulatory and industry best practice frameworks, combining COBIT 5, PCI DSS, ISO 27000, NIST SP800-53, and SANS to ensure an exhaustive approach to security.
Woodson added that a comprehensive current state assessment, gap analysis, and initiative generation ensured nothing was left off the table.
“This project also elevated the perception of the security team from being a hindrance to an enabler for the organization.”
Stay tuned for an update in the coming weeks as Woodson and his team progress through InfoTech’s program. They are currently developing a process for assessing mitigation effectiveness and generating insightful and unique information to support sound InfoSec decision making.