Joanne L. Martin is Hartman’s chief information security officer (CISO). She joined the company following an esteemed career at IBM that culminated in the role of global CISO and vice president for IT risk. We sat down with Joanne to pick her brain on all things cyber.
What’s the number one thing you tell business leaders about cybersecurity?
Cybersecurity is not something a small group can take care of independently or something that should be delegated to the IT team. All employees at all levels need to understand the role they play in keeping the organization safe.
Where does training fit in?
Cybersecurity training is not just a box to check off, but rather, must become a comprehensive and ongoing part of an organization’s culture — and it has to start at the top to be most effective. Leaders who recognize the value of ongoing cyber training can set an example for their entire company and mitigate future negligence that can lead to a breach.
How prevalent is cybersecurity employee training?
Despite numerous studies that have found that an organization’s greatest risk for cyber incidents comes from within, many companies do not provide any form of employee cybersecurity education, and therefore, put their organizations at significant risk for a data breach.
Would you say that most internal cyber threats are intentional?
No. Most employees inherently want to do the right thing when it comes to security but are often untrained and unaware of how their actions can affect the organization and potentially expose proprietary information and intellectual property. With millennials surpassing other generations in the workforce in terms of numbers, employees’ expectations around technology and attitudes toward security are rapidly changing. It’s time for employers to address these realities in order to protect their organizations from a breach.
In small or mid-size organizations, is the CIO the best person to handle cybersecurity?
It’s a challenge for organizations of all sizes to separate cyber from IT, but cyber is a business risk issue, not an IT issue. Many of the steps to remediate issues are implemented by the IT organization, and so a partnership with IT is critical. But, from the outset, leaders should approach cybersecurity like any other business risk — with a clear, strategic process where the risk is analyzed and a plan is designed for mitigation. While an IT leader can certainly become a cybersecurity expert with proper training and experience, separating and defining the roles is key to long-term success.