Your whole organisation needs to get real about IT security: Here's how to do it

Spending money on security isn't going to solve the problem alone -- CIOs need the rest of their organisation to understand the risks too.
Written by Mark Samuels, Contributor

BT Business CIO Colin Lees: "You're only as good as your last attack. You've got to be diligent."

Image: Sergey Isaev

Most businesses are badly prepared when it comes to dealing with cyber attacks: despite almost constant warnings about security threats, most companies rate their cyber resilience as low, even though they are spending a significant chunk of their IT budgets on it.

So how should CIOs make sure executives and staff are taking security seriously?

1. Get the board to understand the real risks

Tim Holman, chief executive of 2-sec and director of the Information Systems Security Association, says a strong approach to cyber threats must come from the very top of the business: "That means the executives who are accountable should things go wrong, and that's probably why you don't see the names of IT managers in the press when a company gets hacked," he says.

Holman says the first step -- as simple as it sounds -- is for the business to take cybersecurity seriously. "A board must at least acknowledge the risk of a hacking incident or rogue piece of malware is clear and present," he says.

Such c-level acknowledgement might include a security awareness exercise or penetration test. Even seemingly straightforward analyses can help, including an awareness of other companies in your sector and an up-to-date check whether they have been in the news lately.

Second, says Holman, CIOs should encourage board members to take a few hours out of their busy schedules to conduct a security risk assessment. "The numbers soon add up, especially if we're talking about a business that relies on a critical online presence to bring in revenue."

Investing in security products, says Holman, represents the third and -- very much -- final step for CIOs. "Don't just throw money at security in an attempt to solve steps one and two. Products won't work or solve a broken risk management function at an executive level," he says.

2. Set people policies and share with peers

Colin Lees, CIO at BT Business, said that while organisations have previously focused on the security of larger systems, a change in attack vectors means outsiders no longer hit the company head-on but instead try to nip in through the back door.

"They get inside your estate and then they sit there and wait," he says. "You used to survive by building a massive perimeter and a controllable front door. You can't do that anymore -- and we had to change our approach to security in order to create an incredibly tight inventory of our IT estate."

Everything, says Lees, changed very quickly during 2015. "We went from seeing one or two attempted cyber attacks a month to many, many more," he says.

Lees says there is no simple explanation of why the cyber threat has increased, although he suspects potential intrusions come from multiple sources around the globe. Hackers can now download powerful tools for free on the web. The threat of cybersecurity has, as such, been democratised.

The recent high-profile exposure at TalkTalk formed just another element of that increased focus on security. Lees says the first thing that happened after TalkTalk's breach was that he and his colleagues reached out to see if he could help his competitors in any way.

"It's a case of, 'there but for the grace of God go I'," he says. "You're only as good as your last attack. You've got to be diligent. We work tremendously hard in regards to security at BT. We've got a very experienced cybersecurity department and threat lab."

Focusing on risk management tallies with Colin Lees at BT Business, whose main aim is to ensure potential points of entry are locked down. People policies are also important and he says BT has a range of plans and procedures for key areas, including building security, system access, and worker behaviour, in terms of education and training.

"The key to success is risk management, with an appropriate level of spend," says Lees. "You have to be prepared to invest. When I speak to other CIOs in other sectors, I sometimes find there's less investment in security than at BT. Being so network-oriented means it's a crucial area of IT spend for us."

As well as risk management, Lees says risk-modelling plays a key role at the telecoms firm. He says he talks to other CIOs, for example, about the 15-or-so things that most businesses need to consider in order to maintain a good level of information security. "When we talk to our peers, many are not covering all of those areas yet," he says.

3. Take action to protect your firm's most valuable assets

David Reed, head of IT and data operations at the Press Association, recognises that his firm would not have enough control over processes if journalists used their own devices to file copy, take pictures, and write articles. "The responsibility would be theirs, and would in effect be us saying that the buck stops with them," he says.

Reed says security is of paramount importance for PA, and was a major factor in the firm's decision to implement a corporate-owned, personally enabled (COPE) mobile strategy. PA has given employees a range of devices but Reed is able to manage the whole estate through a combination of mobile data management technology from EE and the Knox security software from Samsung.

"The devices are suitable for work and personal use," he says. "All whitelisted apps sitting in the container are protected from any malware that could have been installed unknowingly by the user."

More essential tech and business leadership stories

Editorial standards