Just like a parent in denial, a CIO sometimes has to learn the hard way, with news delivered in the middle of the night.
"People are a little more confident than they should be," Phillips said. "They think they're secure until something happens. There's an illusion of security."
When it comes to data security, the first thing CIOs have to learn is that no security policy and system can be perfect. However, it is possible to sleep at night knowing your system is "good enough," Phillips said.
When is enough enough?
You can't eliminate risk entirely, but you can lessen your vulnerability. Look at it this way: you lock the door to your house. It's reasonably secured. You could add a few more deadbolts to the door or maybe a second, locked screen door. Then your house would have more security, but in most neighborhoods a simple lock is good enough.
Understand, however, that if you're asking yourself if you have enough security, enough is a relative term and "comes in many flavors and shifts constantly," Phillips said. What's enough for you may not be enough for another organization.
The key to making sure you have enough security is conducting a thorough risk assessment . That process differs depending on size of company, vertical industry and types of data contained in the system, Phillips said.
Students are always finding new ways to get around a secure system, Young said, even though in some cases there are eight to 10 layers of security aimed at preventing breaches. From his viewpoint, Young figures he can never be 100% secure, given the rapid-fire rate that technology changes.
"There are always vulnerabilities," he said. "You do an MS upgrade and something comes up. The simple thing of a password -- people are sticking their passwords on sticky notes on their computers; VPs are giving them to their secretaries."
Accepting that it's OK to be "good enough" is a first step. After that, Phillips recommends the following risk-based approach:
- Start fresh: Go back into your organization and make sure everyone is on the same page as to what should be protected and why. Define a level of importance to the business.
- Evaluate and order critical assets. What are your organization's critical success factors? What are the critical assets required for success?
- Estimate your vulnerability level. Consider external and internal threats and estimate the probability of loss.
- Determine the best way to secure each asset.
- Determine how much resources will be spent based on the value of the assets.
"You decide your risk profile," Phillips said. "No matter how you cut it, [it's essentially] a roll of the dice. There's no perfect solution. Sometimes you just have to say, 'it's a risk we'll have to take.'"
Let us know what you think about the story; e-mail: Kate Evans-Correia, News Editor