CIOs are under more pressure than ever before when it comes to cybersecurity concerns, especially now that many or even all of the staff in their organisation are working from home, perhaps using unfamiliar software and hardware as they try to do their jobs on lockdown.
The array of devices and applications that they have to take responsibility for has been rapidly expanded by the 56% of enterprises expect to increase their security spending in response to COVID-19., and criminals have been keen to exploit any organisations thrown off-balance by the rapidly changing circumstances, which means taking a fresh look at what IT security really means. Tech analyst HFS Research recently reported that
"The threat landscape changes on a daily basis," says Simon Liste, chief information technology officer at the Pension Protection Fund (PPF). "We've had to shift our approach so that we recognise that information security is not about 'if' you get hit but 'when' you get hit. Understanding that shift in terms of technology, culture and leadership has been hard – and not just for the PPF, but for a lot of organisations."
Liste says he's fortunate to have a strong technical background and, from his previous roles as a technical engineer and analyst, believes he's developed a good understanding of cybersecurity concerns. Here's four areas he believes IT leaders should focus on to create an effective security strategy.
1. Get buy-in from the senior leadership team
Liste says it's crucial the board understands the importance of cybersecurity. "At board level it's on the agenda at all times, especially in the position we find ourselves in right now with COVID-19," he says.
Set up by the Pensions Act 2004, the PPF protects millions of UK people who belong to defined benefit pension schemes. If their employers go bust, and their pension schemes cannot afford to pay what they've promised, the PPF pays compensation for their lost pensions.
"We have a responsibility to our internal colleagues and our external members to make sure that the data we've got is secure," he says. "Because of the role we fulfil as an organisation, we need to protect the intellectual property that we have."
Since joining the PPF in February 2018, Liste has worked with the board to help develop their awareness of cybersecurity threats. The effort has paid off.
"They really get the critical role of information security to our organisation," he says. "And they're continually evolving their understanding, so they know that security isn't just about dealing with external threats."
2. Focus on continually honing your processes
When he became CIO at the PPF, Liste brought the management of cybersecurity back in-house after it had previously been outsourced to an external provider. He was keen to take back control of IT management decisions and he's developed an information security and privacy department.
"We don't just do a standard annual check of our systems; instead, we're constantly evaluating our estates," he says. "Cybersecurity is about trying to keep on the front foot all the time, but it's also about understanding you can't find a silver bullet that sorts everything. That just doesn't happen, so you need an ethos of constantly checking and challenging."
As part of his internal management of cyber-defence systems, Liste has established an information security committee, which helps to coordinate IT security initiatives at the executive level and ensures the value of – and risk to – data is established and recognised.
The organisation adheres to industry best practices, including ISO 27001, which is the international information security standard. The PPF is also looking at the Cyber Essentials Plus information assurance scheme operated by the National Cyber Security Centre.
"What's important is the mechanism around applying the right processes," says Liste. "You need to think about a range of key questions: how can you identify, how can you monitor, how can you manage, how can you recover, and how can you be proactive?"
3. Layer your security partners – and test them, too
Liste says insourcing IT has allowed his team to disaggregate the support model and spread provision across a series of suppliers, which helps to reduce the level of potential risk.
"Don't put all your eggs into one basket," he says. "There's often a debate around cost-appropriate security solutions, but I don't think you can sacrifice costs when it comes to security. It's not a financial decision – it's more around identifying what's absolutely fundamentally critical in terms of the data you need to protect."
Liste says the PPF uses cloud-based, perimeter gateway services and also more traditional enterprise firewalls. He advises other CIOs to try and spread risk at the hardware level and use different providers for different areas of IT infrastructure, such as servers and desktop PCs. He says the PPF's main security partner is a "top-five global specialist".
"A good security partner has intelligence – they can interrogate what's happening on your network, and what traffic's going in and out, but they also know what's going on outside your corporate environment in a place like the dark web," he says.
Liste is impressed with the level of expertise he receives, but he advises other CIOs to take nothing for granted. He refers to his main partner as his "blue team", but he also employs a "red team" of ethical hackers to regularly test the approach his main security partner is taking.
"That's to see if they can break the services and the recommendations that have been made," he says. "We're just trying to layer the way we're protecting people and data, and the interaction between people and data as well."
4. Engage with the rest of the business
Liste has gone to great lengths to strengthen security awareness at the board level and to build security capability within the IT department. Yet he says it's crucial to recognise good security is a whole-organisation effort. When it comes to creating education programmes, he says CIOs should be prepared to lean on the expertise of other functional heads.
"A good collaboration with your learning and development team, your communications team and your training team is absolutely critical," he says. "You need to work with these experts to make sure you're constantly updating and engaging with people and educating them around the evolution of the cybersecurity risk."
Liste says structured internal education and awareness programmes are the best way to teach staff across the organisation about potential risks. But he also says that training development shouldn't stop at the enterprise firewall, particularly as most staff are currently working at home due to social distancing.
"We don't limit our approach to corporate education," says Liste. "We also talk about awareness at home, which is obviously crucial right now, and we talk about the risk of phishing and being aware of the text messages that tempt you to click on links. We say that the secure practices our people apply at work should be carrying on 24/7."