How will ITdirectors in businesses that span European
borders adapt as corporate security evolves from a closed fortress
approach to an open door policy?
The responsibilities of the modern CIO are myriad: gaining trust
and confidence, grappling with the complexity of organisations and
products, dealing with the board and the business units, adhering
to corporate governance and legislation, and tackling threats posed
by hackers and spammers.
When you add the responsibility for information and security in
an organisation that ranges across Europe, life becomes even more
complex.
You also need to accommodate differences in mindset about
legislative severity, and differences in national character.
Within countries, many of the challenges remain the same for
CIOs, wherever they are based. They must try to operate a security
model that has changed from a "fortress" - where everything was
kept out - to an "airport" style security. Now everyone is rushing
around in different directions aiming for different destinations,
and their credentials to "fly" or interact with the company need to
be checked.
Organisations need to welcome everyone in from partners to
customers and hope they are friends, not foes. The key word is now
"deperimeterisation".
But opening up the perimeter means organisations require
knowledge of identities through trust and confidence.
David Lacey, chairman of user group the Jericho Forum and
director of information security at the Royal Mail, believes that
trust models are increasingly important. This is why the Jericho
Forum - which has members across Europe - is instituting research
into the development of new trust models.
Essentially, the CIO's approach to security does not change
depending on which European country they are in; it simply depends
on what the business priorities of the company are.
There are, however, some distinct differences where geography,
national characteristics and natural alliances play a role.
Europe can be divided into four sub-regions: the
Nordic-Scandinavian group, the UK, the Franco-German group, and
Italy and Spain. These all play an important part in influencing
corporate governance and legislation.
Coping with legislative demands is one of the CIO's biggest
challenges. In some of the harsher legislative regimes, after a
major breach of the law, the CIO can find themself in prison.
For many organisations, simply dealing with the different
demands of the legislation presents a headache. For example, the US
Sarbanes-Oxley regulations are all about auditing and process
compliance. Yet Basel 2 focuses on daily, operational risk. Some
argue that being compliant with both those different approaches is
a corporate challenge in itself.
This is where geography and national characteristics also come
to the fore. In the Nordic countries there are additional
governance requirements applying to shareholders and stakeholders
and, particularly in those countries, environmental standards that
must be complied with.
Companies also need IT to help shore them up in the case of
managerial incompetence or wrongdoing, and it is the CIO who can
protect the enterprise, establishing a process view of the
organisation.
It is likely that demands on the CIO will increase as the
threats to security move beyond hacking and getting through
firewalls, into networks, and applications.
Brian Collins, head of the Department of Information Systems at
Cranfield University and a former global CIO at law firm Clifford
Chance, believes the threat focus has moved to applications, with
databases becoming an eventual target.
"We have moved the business into a network-enabled capability.
The only problem is that we now have network-enabled
vulnerabilities," he said.
Collins believes CIOs will soon have to get to grips with
persuading "the business" - and the board - that some applications
just may be insupportable from the organisation's security point of
view.
"In the most effective organisations, IT and the business units
will already be working together as one to solve this," he
said.
"You cannot have a situation where you have huge business
vulnerabilities 'enabled' by IT, and are opening the door to risk,
both physically to the organisation, and also to its
reputation."
Case study: OKI CIO sets a security policy across
Europe
Kevin Holian, chief information officer at printer supplier OKI
Europe, believes making security work is as much about education as
technology. Technology may be an enabler, but discussion and
personal responsibility are far more effective components.
That is particularly true when you are dealing with a
trans-European business environment in which legislative demands
and mindset present myriad challenges. That differing approach even
extends to data protection legislation, or individual use of the
internet.
"Here in the UK, it is commonplace for reasonable personal use
of the internet to be accepted by employers, provided it is not
eating up significant chunks of work time, and you are careful
about which sites you visit," he said.
"But across Europe there is a different expectation that at work
you cannot use the net for private use. As a CIO working across
Europe, you have to be aware of these cultural and legal
differences."
The need to have a cross-organisation view of what software
resides and is used within the organisation prompted Holian to put
Windows Active Directory across Europe, giving him a view of every
PC, and preventing staff from loading unauthorised software, and
particularly downloading software from the internet.
It was a move that caused a corporate outcry across OKI
Europe.
But Holian was able to persuade first his human resources team,
and then the rest of the business, that access to the system was
regulated through a multilayered security structure consisting of
safes, passwords and biometrics.
For security across Europe he also emphasises the need for
personal responsibility. "If you allow your corporate laptop to be
used by someone else at home, and someone finds pornography on the
machine, even if you are blameless, it is still your
responsibility," he said.
"Managers across Europe must educate their staff about the need
for more personal responsibility."
Cultural differences
Scandinavia has an internet-savvy population, many of whom have
been using sophisticated online banking facilities for years. There
is a growing need to focus on internet security to safeguard
personal and corporate finances and the data of financial
organisations.
When it comes to local corporate governance, there is a strong
focus on institutional shareholders and stakeholder legislation.
Also executives' remuneration and gender representation are hot
issues. Environmental legislation has for a long time been a strong
element of Scandinavian governance that must be adhered to by
companies and which the chief executive and the chief information
officer need to be aware of.
Erik Evren, a senior partner at communications consultancy
Hallvarsson & Halvarsson in Sweden, is a former communications
specialist at Nordic bank Nordea, a world leader in internet
banking, with 3.9 million e-customers.
In Scandinavia and the Nordic countries, he said, there has been
less pressure on CIOs to comply with the requirements of
Sarbanes-Oxley and other corporate governance legislation inspired
by the US in the wake of the Enron collapse and the campaign
against terrorism. That is because the Nordic countries have so far
not been caught up in widespread financial scandals or had to focus
on terrorism.
Jericho Forum
International IT security user group, the Jericho Forum, was set
up in January 2004 to use combined corporate user pressure to
ensure interoperability and fitness for purpose of security
products and services. It aims to exploit the business potential of
the internet while tackling the problem of bringing network
security down to individual device level. Its members include ABN
Amro Bank, Airbus, Boeing, BP, Credit Agricole, GlaxoSmithKline,
ICI, ING, MBNA Europe Bank, Qantas, Rolls-Royce, Royal Dutch/Shell,
Royal Mail and Unilever.
'www.opengroup.org/projects/jericho