Information security can be complex, but the basics are often overlooked says Mark Jones, chief information security officer at Heathrow Airports Limited, formerly BAA.
Jones, who is also director of IT security, compliance and governance, said these three basic things are vital, particularly in IT-enabled critical infrastructure environments like UK hub airport Heathrow.
Patching is something he watches very closely. Jones believes it an essential part of the security basics.
“Patching is not complex, just a basic discipline. However, there are few organisations that do it really well,” he said.
Many organisations, said Jones, tend to use outsourced services to maintain their IT infrastructure, but service providers are often reluctant to maintain high levels of patching.
Similarly, the management of information security incidents is another basic component many organisations neglect. Jones believes in regular structured cyber incident management drills.
Read more about critical infrastructure
- Thales launches critical infrastructure cyber security lab
- NAC security becoming critical infrastructure component for BYOD
- UK takes cyber threats to infrastructure seriously
- UK must legislate on critical cyber security, says ViaSat
- GRC Management and Critical Infrastructure Protection
- Obama's cybersecurity executive order issued for critical infrastructure
- Critical infrastructure security: Electric industry shows the path
- UK infrastructure needs better security controls on suppliers, says ISC
- Critical infrastructure protection hindered by difficulties, experts say
Influence and responsibility
He also sees resilience as a key basic component, but that is often not part of a CISO’s responsibility or a CISO lacks the authority required to ensure the resilience of information systems.
“CISOs need the capability to influence the executive team, but are often seen only as subject matter experts and not taken seriously enough by business executives,” said Jones.
For this reason, he believes no-one should become a CISO unless they have had responsibility in a business for profit and loss (PNL).
“Without the experience of PNL for a large business, say at the level of £100m turnover business, it is difficult to get buy-in from the business,” said Jones.
“Performance as a CISO will also be improved as a result of such experience because it enables empathy with business problems and a better understanding of how the business works.”
Jones believes the pressure of commercial responsibility also provides a useful means of weeding out weaker candidates.
In terms of career planning, he said prospective CISOs become subject matter experts first and then seek out opportunities to get experience with line of business commercial responsibility.
Organisations can also help develop future CISOs by identifying the people with good information security skills and then giving them commercial responsibility in the business.
“We are moving into a world where digital information is so important, so there will be significant rewards for CISOs who are respected advisors to the board,” said Jones.
“CISOs who can answer questions authoritatively will become an essential resource and increasingly important to any business.”
Jones expects the demand for CISOs with good business and technical knowledge to increase significantly in the next 10 to 15 years.
“Organisations need to think now about developing these people, which will save money on buying unnecessary best of breed technologies,” he said.
According to Jones, a good CISO will ensure that a business has the right tools and skills to deliver appropriate levels of information security and resilience of information systems.
“Security is not just about technology, it is also about having the right operating model, and a CISO who can talk to the business and generate sufficient traction and influence,” he said.
Jones believes these aspects are essential as most modern businesses or governments are so reliant on integrated digital technology.