The people who work in your business or organization's information security office used to be the ones who would tell you what you couldn't do, but today that has changed. Now their role is to manage information security to create change, not block it, information security expert Jim Nelms said.
For example, Nelms said, information security officers at a hospital system might need to figure out how to provide services securely over a remote Internet connection, not just say it can't be done.
“It enables the business to move ahead,” he said.
Nelms, chief information security officer for the Mayo Clinic, addressed about 200 information technology and security professionals Thursday at CoSentry's third annual Corporate Compliance and Security Summit, held at the Omaha Marriott.
Before joining the Mayo Clinic, Nelms was responsible for information security and risk management at the U.S. Treasury.
Businesses cannot completely prevent information security breaches, but they can manage risk better by evaluating its probability scientifically, rather than through perception or fear, he told The World-Herald after his talk. Then it's the security chief's role to be able to explain the risks to other executives in a common language that they can understand.
“The CISO's role is to be able to bring business risk, a calibrated business risk, to the C-table to make decisions,” he said.
Omaha business owners who are struggling to understand how to best protect their data or intellectual property shouldn't be shy about asking a consultant for help, Nelms said.
“You cannot grow security organically — the industry moves too fast,” he said, with risks evolving over the past 18 months to include “advanced volatile threats” — malicious software programs that damage a computer network's memory, then disappear without a trace, making them hard to detect.
“For every technology that's released,” he said, “there's somebody there waiting to exploit the technology.”
Another threat comes from inside an organization — employees who don't think critically about sharing sensitive information in an age when everything is online and public.
“The information age has exploded, and the risks that we run are not just technology in nature,” Nelms said. “They have to do with people, process and technology.”