Security: Freedom to enter but no right to roam

How will ITdirectors in businesses that span European borders adapt as corporate security evolves from a closed fortress approach to an open door policy?


How will ITdirectors in businesses that span European borders adapt as corporate security evolves from a closed fortress approach to an open door policy?

The responsibilities of the modern CIO are myriad: gaining trust and confidence, grappling with the complexity of organisations and products, dealing with the board and the business units, adhering to corporate governance and legislation, and tackling threats posed by hackers and spammers.

When you add the responsibility for information and security in an organisation that ranges across Europe, life becomes even more complex.

You also need to accommodate differences in mindset about legislative severity, and differences in national character.

Within countries, many of the challenges remain the same for CIOs, wherever they are based. They must try to operate a security model that has changed from a "fortress" - where everything was kept out - to an "airport" style security. Now everyone is rushing around in different directions aiming for different destinations, and their credentials to "fly" or interact with the company need to be checked.

Organisations need to welcome everyone in from partners to customers and hope they are friends, not foes. The key word is now "deperimeterisation".

But opening up the perimeter means organisations require knowledge of identities through trust and confidence.

David Lacey, chairman of user group the Jericho Forum and director of information security at the Royal Mail, believes that trust models are increasingly important. This is why the Jericho Forum - which has members across Europe - is instituting research into the development of new trust models.

Essentially, the CIO's approach to security does not change depending on which European country they are in; it simply depends on what the business priorities of the company are.

There are, however, some distinct differences where geography, national characteristics and natural alliances play a role.

Europe can be divided into four sub-regions: the Nordic-Scandinavian group, the UK, the Franco-German group, and Italy and Spain. These all play an important part in influencing corporate governance and legislation.

Coping with legislative demands is one of the CIO's biggest challenges. In some of the harsher legislative regimes, after a major breach of the law, the CIO can find themself in prison.

For many organisations, simply dealing with the different demands of the legislation presents a headache. For example, the US Sarbanes-Oxley regulations are all about auditing and process compliance. Yet Basel 2 focuses on daily, operational risk. Some argue that being compliant with both those different approaches is a corporate challenge in itself.

This is where geography and national characteristics also come to the fore. In the Nordic countries there are additional governance requirements applying to shareholders and stakeholders and, particularly in those countries, environmental standards that must be complied with.

Companies also need IT to help shore them up in the case of managerial incompetence or wrongdoing, and it is the CIO who can protect the enterprise, establishing a process view of the organisation.

It is likely that demands on the CIO will increase as the threats to security move beyond hacking and getting through firewalls, into networks, and applications.

Brian Collins, head of the Department of Information Systems at Cranfield University and a former global CIO at law firm Clifford Chance, believes the threat focus has moved to applications, with databases becoming an eventual target.

"We have moved the business into a network-enabled capability. The only problem is that we now have network-enabled vulnerabilities," he said.

Collins believes CIOs will soon have to get to grips with persuading "the business" - and the board - that some applications just may be insupportable from the organisation's security point of view.

"In the most effective organisations, IT and the business units will already be working together as one to solve this," he said.

"You cannot have a situation where you have huge business vulnerabilities 'enabled' by IT, and are opening the door to risk, both physically to the organisation, and also to its reputation."


Case study: OKI CIO sets a security policy across Europe

Kevin Holian, chief information officer at printer supplier OKI Europe, believes making security work is as much about education as technology. Technology may be an enabler, but discussion and personal responsibility are far more effective components.

That is particularly true when you are dealing with a trans-European business environment in which legislative demands and mindset present myriad challenges. That differing approach even extends to data protection legislation, or individual use of the internet.

"Here in the UK, it is commonplace for reasonable personal use of the internet to be accepted by employers, provided it is not eating up significant chunks of work time, and you are careful about which sites you visit," he said.

"But across Europe there is a different expectation that at work you cannot use the net for private use. As a CIO working across Europe, you have to be aware of these cultural and legal differences."

The need to have a cross-organisation view of what software resides and is used within the organisation prompted Holian to put Windows Active Directory across Europe, giving him a view of every PC, and preventing staff from loading unauthorised software, and particularly downloading software from the internet.

It was a move that caused a corporate outcry across OKI Europe.

But Holian was able to persuade first his human resources team, and then the rest of the business, that access to the system was regulated through a multilayered security structure consisting of safes, passwords and biometrics.

For security across Europe he also emphasises the need for personal responsibility. "If you allow your corporate laptop to be used by someone else at home, and someone finds pornography on the machine, even if you are blameless, it is still your responsibility," he said.

"Managers across Europe must educate their staff about the need for more personal responsibility."


Cultural differences

Scandinavia has an internet-savvy population, many of whom have been using sophisticated online banking facilities for years. There is a growing need to focus on internet security to safeguard personal and corporate finances and the data of financial organisations.

When it comes to local corporate governance, there is a strong focus on institutional shareholders and stakeholder legislation. Also executives' remuneration and gender representation are hot issues. Environmental legislation has for a long time been a strong element of Scandinavian governance that must be adhered to by companies and which the chief executive and the chief information officer need to be aware of.

Erik Evren, a senior partner at communications consultancy Hallvarsson & Halvarsson in Sweden, is a former communications specialist at Nordic bank Nordea, a world leader in internet banking, with 3.9 million e-customers.

In Scandinavia and the Nordic countries, he said, there has been less pressure on CIOs to comply with the requirements of Sarbanes-Oxley and other corporate governance legislation inspired by the US in the wake of the Enron collapse and the campaign against terrorism. That is because the Nordic countries have so far not been caught up in widespread financial scandals or had to focus on terrorism.


Jericho Forum

International IT security user group, the Jericho Forum, was set up in January 2004 to use combined corporate user pressure to ensure interoperability and fitness for purpose of security products and services. It aims to exploit the business potential of the internet while tackling the problem of bringing network security down to individual device level. Its members include ABN Amro Bank, Airbus, Boeing, BP, Credit Agricole, GlaxoSmithKline, ICI, ING, MBNA Europe Bank, Qantas, Rolls-Royce, Royal Dutch/Shell, Royal Mail and Unilever.



Read more on Hackers and cybercrime prevention