Top 10 information security tips for C-level executives

Vernon Poole, head of business consultancy Sapphire, and former security manager for Deloitte UK/Europe, offers his advice to top-level executives on how to keep ahead of security concerns.

1. Create and maintain a comprehensive corporate information security (IS) policy. Support this with related guidance (including detailed policies and procedures) on how to deal with IS issues. Align this policy closely with business priorities. Endorse the approach and show total commitment to IS. Stress the need for good communication, comprehensive awareness of the key issues and compliance with relevant regulations.

2. Promote a common understanding of the importance of security issues, together with key IS requirements, vulnerabilities and threats. Understand and accept your own security responsibilities and ensure that you have a confirmation process in place.

3. Set up a corporate IS function to manage the IS regime (ISMS - IS Management System) especially with respect to incident management and response.

4. Set up a risk management policy to define risk limits and risk tolerance. Spell out clearly who owns which risks and what they are accountable for.

5. Identify and monitor continuously critical infrastructure components.

6. Use service level agreements (SLAs) to raise awareness of and increase co-operation with suppliers relative to security and continuity needs.

7. Lock down or at least secure applications before you deploy them.

8. Be aware that insiders continue to be the primary source of most security risks, but know too that attacks by organised crime and from other external sources are increasing.

9. Pay due attention to those legal and regulatory requirements that affect the business (eg data privacy, copyright and internal control demands). Enforce your IS policy through regulatory compliance and through internal and external reviews. (If you don't do this, you will be merely reacting to the latest security incident. This might find you legally liable for a breach, with consequential damage to your reputation and brand.

10. In a world where mobile and remote working is increasingly prevalent, doing nothing about the above is irresponsible, and can even be seen as corporate negligence.