If CIOs are going to make the most of opportunities for using IT to fuel business transformations and become engaged in experimentation with software as a service, virtual worlds, Web 2.0 and the full realm of other new and emerging technologies, then information security must become an embedded and fundamental component of planning.
Most guidance to CIOs that I have read on the subject of security appears to have come from analysts and journalists. So, this is my view, as incumbant information security director for the world's biggest organiser of trade and consumer events.
It is important to envision the scope of the information security leader's capability outside of IT and consider it as a risk management, auditing, and business advisory role. Meaningful metrics that serve to demonstrate to the board that security risks are being managed should be collated on a regular basis. Gone are the days where a firewall and an intrusion-detection system could constitute the arsenal of information security defence.
Keep in mind that information security is fundamentally about three things: protecting confidentiality, maintaining integrity and ensuring the availability of data. Also, now more than ever, it is about protecting the reputation of the business - particularly as that reputation is based on ever-more fragmented brandings as the business challenges traditional marketing and heads out into the brave new virtual world.
Information security is an increasingly complex arena that calls for hard-to-find skills: business savvy, sound risk fundamentals and holistic technical understanding are all essentials. CIOs need to understand that the role of information security is to help the company understand, manage and mitigate risk as far as possible, and predict the effect of any remaining risk on business systems and the CIO's strategy.
My advice is not to be drawn in by buzzwords. New technologies do not necessarily bring new problems: more usually the same old issues dressed in new clothes. So, experience counts.
Here are the top security topics I think every CIO should be thinking about over the year ahead:
1. Data handling. Without doubt, and regardless of the type of business, security around data has to be the number one priority. Consider that the impact of a data breach can have impacts far beyond the value of the data itself.
2. Security of third parties and partners. You cannot outsource responsibility for security, so make sure you know how well third-party suppliers are looking after your organisation's assets.
3. Access and entitlements. Who can do what and how well are you managing access to systems and data?
4. Enterprise system security. If you are sponsoring new initiatives then make sure security is a considered and documented part of the planning process. Potential risks should be identified early on in the life cycle and tracked through to and beyond production.
5. Use the security veto. Security is one of the few things other than money that can bring a project to a screeching halt. Have a repeatable process for assessing risk, particularly for new technologies where there may not be any well-established controls or countermeasures. Wielding a security veto at the wrong time might result in a missed opportunity. Using it as a sensible risk control should help to maintain competitive advantage.
6. Watch out for threats to VoIP systems. There have been rumblings for some time about the potential for serious attacks on company voice over PI (VoIP) systems. The Jericho Forum, for instance, stated fairly and squarely last year, "We do not consider VoIP to be enterprise-ready We in the IT security industry are collectively guilty for allowing a fundamentally insecure system such as VoIP to be launched into the market."
7. Malware, malware and malware. It is going to be a big year for malware, the Olympics and the US presidential elections are two events that will doubtless trigger a new stream of exploits. Botnets will continue to dominate and corporate networks will come under increasing attack from well-sponsored and highly motivated international sources.
8. Virtualisation. A buzzword that actually means something tangible, but do not forget security. According to Gartner, "Through 2009, 60% of production virtual machines will be less secure than their physical counterparts." Take the advice of Chris Hoff and, "make sure we architect the virtual network as well as we architect the physical networking."
My own agenda is set based on the CIO's and the overall business strategy. Security cannot be an independant function within the business, it must be a function of the business.
Stuart King is information security director at Reed Exhibitions