Better to be safe than sorry with security

CIOs must take action now to avoid problems later

I am not making any claims for originality with this opening statement, but I can certainly relate to it. "When I was growing up, grass was mowed, coke was something you drank, and a joint was a piece of meat you ate on Sundays."

I look at my grandkids and I cannot help but feel a certain amount of sympathy for their parents.

And I suppose the same holds true for the beleaguered CIO. Now, this title is a poisoned chalice, and pity the company whose CIO has the same level of appreciation for IT security as I have for opera.

Not long ago I met a chief security officer who was adamant that because the machine that had all the company's mergers and acquisitions data was physically in the boardroom the information was secure.

Today this role has developed into one of the most crucial appointments that an organisation will make.

Organisations have a duty to safely store, process and exchange sensitive data inside and outside the organisation in a way that is transparent to the user.

Throwing technology at the problem of security is not the answer. However, technology will offer part of the solution, and it is essential to stay abreast of developments and technologies.

No doubt every CIO is familiar with the various regulations that are constantly in the media, whether Sarbanes-Oxley, the Payment Card Industry Data Security Standard (PCI DSS), BS17799 or the Data Protection Act.

It is imperative that you take the time to acquaint yourself with these standards and requirements.

A major challenge for any CIO is to develop an effective plan of action. This plan must be comprehensive and make use of compliance standards. An organisation can very quickly take effective steps to address potential weaknesses in their IT security if this is in place.

One very effective standard is the model developed by the PCI. The PCI standard sets out in a very clear way what steps organisations that handle credit card payments should take in order to be compliant.

Whether or not this affects your organisation, the fact remains that the PCI recommendations are steps that any CIO should implement.

In an increasingly dangerous world, every aspect of our daily life today is governed by our need to take precautions.

No matter how inconvenient airport security checks might be, the next nutter might sit next to me, and no matter how sure you are that you would never sabotage your company's IT environment, the next nutter might just sit next to you. So my advice is that it is better to be safe than sorry.

So, my final word of advice is enjoy the job as long as you can, and avoid unnecessary stress. When you next sit behind the wheel of the car and put on your seatbelt, ask yourself if your IT environment has the same level of security as you enjoy in the car.

Business data protection: the expert view >>

Comment on this article: [email protected]

Read more on IT risk management