If CIOs are going to make the most of opportunities for
using IT to fuel business transformations and become engaged in
experimentation withsoftware as a service,virtual worlds,Web 2.0and the full realm of other
new and emerging technologies, then information security must
become an embedded and fundamental component of
planning.
Most guidance to CIOs that I have read on the subject of
security appears to have come from analysts and journalists. So,
this is my view, as incumbant information security director for the
world's biggest organiser of trade and consumer events.
It is important to envision the scope of the information
security leader's capability outside of IT and consider it as a
risk management, auditing, and business advisory role. Meaningful
metrics that serve to demonstrate to the board that security
risks are being managed should be collated on a regular basis. Gone
are the days where a firewall and an intrusion-detection system
could constitute the arsenal of information security defence.
Keep in mind that information security is fundamentally about
three things: protecting confidentiality, maintaining integrity and
ensuring the availability of data. Also, now more than ever, it is
about protecting the reputation of the business - particularly as
that reputation is based on ever-more fragmented brandings as the
business challenges traditional marketing and heads out into the
brave new virtual world.
Information security is an increasingly complex arena that calls
for hard-to-find skills: business savvy, sound risk fundamentals
and holistic technical understanding are all essentials. CIOs need
to understand that the role of information security is to help the
company understand, manage and mitigate risk as far as possible,
and predict the effect of any remaining risk on business systems
and the CIO's strategy.
My advice is not to be drawn in by buzzwords. New technologies
do not necessarily bring new problems: more usually the same old
issues dressed in new clothes. So, experience counts.
Here are the top security topics I think every CIO
should be thinking about over the year ahead:
1. Data handling. Without doubt, and regardless of the type of
business, security around data has to be the number one priority.
Consider that the impact of a data breach can have impacts far
beyond the value of the data itself.
2. Security of third parties and partners. You cannot outsource
responsibility for security, so make sure you know how well
third-party suppliers are looking after your organisation's
assets.
3. Access and entitlements. Who can do what and how well are you
managing access to systems and data?
4. Enterprise system security. If you are sponsoring new
initiatives then make sure security is a considered and documented
part of the planning process. Potential risks should be identified
early on in the life cycle and tracked through to and beyond
production.
5. Use the security veto. Security is one of the few things
other than money that can bring a project to a screeching halt.
Have a repeatable process for assessing risk, particularly for new
technologies where there may not be any well-established controls
or countermeasures. Wielding a security veto at the wrong time
might result in a missed opportunity. Using it as a sensible risk
control should help to maintain competitive advantage.
6. Watch out for threats to
VoIP systems. There have been rumblings for some time about the
potential for serious attacks on company voice over PI (VoIP)
systems. The Jericho Forum, for instance, stated fairly and
squarely last year, "We do not consider VoIP to be enterprise-ready
We in the IT security industry are collectively guilty for allowing
a fundamentally insecure system such as VoIP to be launched into
the market."
7. Malware, malware and malware. It is going to be a big year
for malware, the Olympics and the US presidential elections are two
events that will doubtless trigger a new stream of exploits.
Botnets will continue to dominate and corporate networks will
come under increasing attack from well-sponsored and highly
motivated international sources.
8.
Virtualisation. A buzzword that actually means something
tangible, but do not forget security. According to Gartner,
"Through 2009, 60% of production virtual machines will be less
secure than their physical counterparts." Take the advice of Chris
Hoff and, "make sure we architect the virtual network as well as we
architect the physical networking."
My own agenda is set based on the CIO's and the overall business
strategy. Security cannot be an independant function within the
business, it must be a function of the business.
Stuart Kingis information security director at Reed Exhibitions