I am not making any claims for originality with this
opening statement, but I can certainly relate to it. "When I was
growing up, grass was mowed, coke was something you drank, and a
joint was a piece of meat you ate on Sundays."
I look at my grandkids and I cannot help but feel a certain
amount of sympathy for their parents.
And I suppose the same holds true for the beleaguered CIO. Now,
this title is a poisoned chalice, and pity the company whose CIO
has the same level of appreciation for IT security as I have for
opera.
Not long ago I met a chief security officer who was adamant that
because the machine that had all the company's mergers and
acquisitions data was physically in the boardroom the information
was secure.
Today this role has developed into one of the most crucial
appointments that an organisation will make.
Organisations have a duty to safely store, process and exchange
sensitive data inside and outside the organisation in a way that is
transparent to the user.
Throwing technology at the problem of security is not the
answer. However, technology will offer part of the solution, and it
is essential to stay abreast of developments and technologies.
No doubt every CIO is familiar with the various regulations that
are constantly in the media, whether Sarbanes-Oxley, the
Payment Card Industry Data Security Standard (PCI DSS), BS17799
or the Data Protection Act.
It is imperative that you take the time to acquaint yourself
with these standards and requirements.
A major challenge for any CIO is to develop an effective plan of
action. This plan must be comprehensive and make use of compliance
standards. An organisation can very quickly take effective steps to
address potential weaknesses in their IT security if this is in
place.
One very effective standard is the model developed by the PCI.
The PCI standard sets out in a very clear way what steps
organisations that handle credit card payments should take in order
to be compliant.
Whether or not this affects your organisation, the fact remains
that the PCI recommendations are steps that any CIO should
implement.
In an increasingly dangerous world, every aspect of our daily
life today is governed by our need to take precautions.
No matter how inconvenient airport security checks might be, the
next nutter might sit next to me, and no matter how sure you are
that you would never sabotage your company's IT environment, the
next nutter might just sit next to you. So my advice is that it is
better to be safe than sorry.
So, my final word of advice is enjoy the job as long as you can,
and avoid unnecessary stress. When you next sit behind the wheel of
the car and put on your seatbelt, ask yourself if your IT
environment has the same level of security as you enjoy in the
car.
Business data protection: the expert view >>
Comment on this article:
computer.weekly@rbi.co.uk