What CIOs should be doing about security in 2008

If CIOs are going to make the most of opportunities for using IT to fuel business transformations, and become engaged in experimentation with PaaS, SaaS, virtual worlds, Web 2.0 and the full realm of other new and emerging technologies then Information Security must become an embedded and fundamental component of planning.

Most guidance to CIOs that I’ve read on the subject of security appears to have come from analysts and journalists. So, this is my view, as incumbant Information Security Director for the world’s biggest and best organiser of trade and consumer events.

It’s important to envision the scope of the Information Security leader’s capability outside of IT and consider it as a risk management, auditing, and business advisory role. Meaningful metrics that serve to demonstrate to the board that security risks are being managed should be collated on a regular basis. Gone are the days where a firewall and an intrusion detection system can constitute the arsenal of information security defense.

Keep in mind that information security is fundamentally about three things: protecting confidentiality, maintaining integrity, and ensuring the availability of data. Also, now more than ever it’s about protecting the reputation of the business – particularly as that reputation is based on ever more fragmented brandings as the business challenges traditional marketing and heads out into the brave new virtual world.

Information Security is an increasingly complex arena that calls for hard-to-find skills: business savvy, sound risk fundamentals and holistic technical understanding (as described in CIO Magazine) as essentials. CIOs need to understand that the role of Information Security is to help the company understand, manage and mitigate risk as far as possible, and the effect of remaining residual risk on business systems and the CIO’s own strategy.

My advice is not to be drawn in by buzzwords. New technologies don’t necessarily bring new problems: more usually the same old issues dressed in new clothes. So, experience counts.

Here are the top key security topics I think every CIO should be thinking about over the year ahead.

1. Data handling. Without doubt, and regardless of the type of business, security around data has to be the number one priority. Consider that the impact of a data breach can have impacts far beyond the actual perceived value of the data itself.

2. Security of third parties and partners. You cannot outsource responsibility for security so make sure you know how well third party vendors are looking after your organisations assets.

3. Access and entitlements. Who can do what and how well are you managing access to systems and data.

4. Enterprise system security. If you’re sponsoring new initiatives then make sure security is a considered and documented part of the planning process. Potential risks should be identified early on in the lifecycle and tracked through to and beyond production.

5. Use the security veto. Security is one of the few things other than money that can bring a project to a screeching halt. Have a repeatable process for assessing risk, particularly for new technologies where there may not be any well-established controls or countermeasures. Wielding a security veto at the wrong time might result in a missed opportunity. Using it as a sensible risk control should help to maintain competitive advantage.

6. Watch out for threats to VoIP systems. There have been rumblings for some time about the potential for serious attacks on company VoIP systems. The Jericho Forum, for instance, stated fairly and squarely last year “We don’t consider VoIP to be enterprise-ready” and went on to say that “We in the IT security industry are collectively guilty for allowing a fundamentally insecure system such as VoIP to be launched into the market.”

7. Malware, malware and malware. It’s going to be a big year for malware, the Olympics and the US presidential elections are two events that will doubtless trigger a new stream of exploits. Botnets will continue to dominate and corporate networks will come under increasing attack from well sponsored and highly motivated international sources.

8. Virtualization. A buzzword that actually means something tangible, but don’t forget security. According to Gartner, “through 2009, 60 percent of production VMs will be less secure than their physical counterparts.” Take the advice of Chris Hoff and “make sure we architect the virtual network as well as we architect the physical networking.”

My own agenda is set based on the CIO’s and the overall business strategy. Security cannot be an independant function within the business, it must be a function of the business. Does that help? Drop me a line if you want to find out more.