Enterprise IT security planning: Five ways to build a better strategy

Struggling to get the boss to take security seriously? Here are some pointers that can help the board get on-board.
Written by Mark Samuels, Contributor

Those buzzwords recommended for building a successful digital business, such as flexibility, agility and openness, don't always fit nicely with more sober requirements like the needs of a corporate security policy.

So, how can IT leaders create an approach to information security that is fit for the modern business? ZDNet speaks to five experts about the key issues CIOs face.

1. Make cybersecurity your number one priority

More than a third (36 per cent) of IT leaders say information security is their top concern for 2017, according to research by The Society for Information Management. It is a sentiment that chimes with Juan Perez, CIO at logistics specialist UPS.

"It's top of mind for every CIO, and certainly me, and it's an area that requires constant work," he says. "IT leaders know it's a priority that isn't going to reduce. And it's a priority that we do not take lightly."

Perez joined UPS as an intern in 1990, working his way to the top of the business to became CIO in March 2016. He was given additional responsibility for engineering at UPS in April and manages the company's $1.1bn annual IT budget. Information security is a key spending area for UPS.

"We continue to make investments and, ultimately, it's an area where we will work to build our defences, support our employees and protect our customers' data. IT leaders need to continue to push hard to ensure information security is paramount across their organisations," he says.

2. Understand the importance of making a commitment

Jonathan Mitchell, non-executive director at recruitment firm Harvey Nash and former CIO at Rolls Royce, says cybersecurity concerns continue to increase. He points to research from Harvey Nash's annual CIO survey, produced with KPMG, which suggests cybersecurity vulnerability is at an all-time high.

A third of IT leaders (32 percent) say their organisation had been subject to a major cyber-attack in the past 24 months, which is a 45 percent increase from 2013. "People are feeling worse year-on-year," says Mitchell, referring to the results, which suggest the top three sectors for attacks are government, utilities and leisure.

"CIOs must take a much tighter grip of information security management," he says. "Keeping up to date with security is the cost of doing business."

Mitchell says it is surprising more companies are not fully committed given the high levels of attack. The good news is that security is moving up the executive agenda. He says the top things CIOs talk about in boardrooms are IT strategies, major transformation initiatives and cyber security concerns.

"There's a growing interest in security, but my belief is that many organisations are not aware of how fast they must move to keep their systems patched," says Mitchell. "I also think many of the core operating systems that businesses use are not designed with the adversary in mind. Organisations often have to deal with a legacy of systems that are designed to be as open as possible."

3. Embed a culture of risk management across the business

Lisa Heneghan, global head of KPMG's CIO advisory practice, is also concerned by the research results. "The statistics are not moving in the right direction," she says, referring to the apparent lack of preparedness for cyber security concerns at an executive level.

Harvey Nash and KPMG's research highlights how only one in five (21 percent) CIOs believe their organisation is "very well" prepared to respond to attacks, down from 29 percent in 2014. The survey also highlights how the biggest jump in threats comes from insider attacks, increasing from 40 percent to 47 percent during the past 12 months.

"My work with clients suggests there's an increased focus on how the business establishes better governance, risk and control. Organisations need to remember that IT is distributed across the business," says Heneghan.

"Executives must ensure they embed the culture of risk management across the organisation. And, thankfully, CIOs and CISOs are becoming much more broadly engaged across business functions, rather simply focusing on the IT department."

4. Apply measures that are fit for the open world

Renaud de Barbuat, group CIO at retail giant Carrefour, recognises the key mission for modern businesses is to deal with information security, not just system security. IT leaders, who might once have focused on security tools and techniques, must take a much broader approach in the digital age.

"This realisation means security concerns are increasingly important at board level," says de Barbuat. "The CISO and CIO are key to educating executives, explaining the challenges and addressing those information security issues in a new, open world. "

What becomes apparent, says de Barbuat, is that the spectrum of potential security concerns is wide. He says IT leaders and their c-suite security counterparts must go beyond the traditional defendable perimeter approach to security and instead apply measures that are fit for this open world.

"Great CISOs act across the whole spectrum of information, both in terms of user behaviours and in the way information is handled. In retail, the information security stakes are high for customers and their data," says de Barbuat, before raising the spectre of governance and the ever-increasing legislative burden.

"Businesses face increasing amounts of regulation, including the forthcoming General Data Protection Regulation. Retailers must address those rules and regulations satisfactorily, but they must also ensure they establish security around payments and fraud detection. Finally, innovation is important - and retailers must protect the intellectual capital of the business."

5. Create a long-term strategy for system integrity

Brad Johnstone, head of ICT at Ayrshire College, appreciates the need to develop an organisation-wide approach to defence. He says information security is crucial to his educational establishment.

Johnstone and his team have implemented a virtual desktop solution, using Citrix XenDesktop, and have deployed IGEL thin client terminals. The virtual desktop solution means his team runs system updates across four basic images, rather than having to update 700 individual machines across the campus.

"We run a significant estate and we're aware that you're only as good as your last issue. Everything is encrypted - we make sure applications and data run in a secure virtual private network. Our approach means we can react very quickly to any alerts and to implement critical updates," says Johnstone.

"We feel we've got a strategy in place to maintain our system integrity. Security must be at the core of what we do and we must ensure we don't accidentally create a hole and give attackers an avenue into our IT environment."


Editorial standards