Cyber-security has become a boardroom issue and remains a key priority for the CIO in ensuring the business and employees are safeguarded from online threats and regulatory concerns. CIOs featured on the CIO 100 discuss security strategies which are in place within their organisation and how they are trying to combat the ever-evolving threats in securing the workplace. [See also: Security breaches detected at more than half of CIO 100 organisations]
"I report IT security adherence back to our board and shareholders on a quarterly basis. While we do not have a dedicated cyber security manager I assigned the responsibility regionally last year. In Europe my head of service delivery is acting IT security officer and has objectives and a budget to allow him to implement an appropriate IT security programme."
Andy Caddy, Virgin Active CIO
"Cyber is actively discussed and owned at board level, with our CEO taking the lead. We have a proactive cyber and information security strategy where we assess our readiness and effectiveness and share this with our audit committee. We have also achieved Cyber Essentials Plus certification as independent verification. I have worked on positioning cyber as not just a technology issue but one where staff awareness is key, so we have a mandatory training programme for all staff that is led from the top, positioning information assurance as a key part of our company code of conduct."
Richard Cross, Atkins Chief Digital Officer
"Over the past 12 months I have taken a number of steps to strengthen our cyber security capability and give greater leadership and management focus to this important area. One important event was my appointment of a new CISO at N Brown, reporting directly to me as part of my IT leadership team. They have spent time working at board level to engage, educate and inform on the subject of cyber security. We have achieved approval of significant investment in a risk reduction programme to ensure our cyber security capability remains fit for purpose far into future and meets the increasing data privacy expectations of our customers."
Andy Haywood, N Brown Chief Operating Officer
"As we are just setting up the Crick, I have been running a series of workshops, supported by KPMG, which has helped us to develop a cyber security roadmap. Senior management have been involved in the interviews and workshops, the report has been reviewed by the Operations Management Committee and will shortly be reviewed by the Executive Committee. It is also my expectation that it will go to the Board. There is an operational Security Steering Group which covers all aspects of security, which is chaired by the Director of Security and where I represent information security."
Alison Davis, Francis Crick Institute IT Director
"Cyber security is totally embedded within our overall corporate governance process. It's broken down into individual components to enable external audit/testing at least every year and there are a number of committees addressing those components led by non-IT executives so as to ensure no conflict of interest. The outcomes from this process are fed back into the main board audit committee, which meets three times a year."
Mike McMinn, Marston's IT director
"We discuss at every board meeting and it's on our balanced scorecard as a senior management team. We take a threat-led approach and heavily focus on people. Next month we are running a full-scale simulated cyber attack complete with media support to test whether our briefings are having an impact up and down the organisation!"
James Robbins, Northumbrian Water CIO
"Our cyber-security office is led by a global CISO who drives a centrally funded, risk-based, ISO-standardised programme. AstraZeneca information security runs a 24x7 security operations centre, forensics and investigations, strategy, performance, and culture/awareness training. A focus on using proper cloud and on-premise technologies plus creating valued partnerships within the industry and government entities enables AstraZeneca to be a leader in this area.
Cyber-security risks and performance are presented regularly to executive leadership, audit committee and the board of directors, who are instrumental in both understanding AstraZeneca's security posture and giving feedback and driving positive change. Cyber security is integrated into multiple areas of the business and works closely with legal, compliance and risk areas."
David Smoley, Astra Zeneca CIO
"Within the organisation we have appointed a senior leader outside of the department to act as senior information risk officer (SIRO) – all organisations in the public sector have this. We then have two committees that work towards improving awareness and taking action on information governance, which includes cyber security. We have a fully integrated team on information governance and within that resources for awareness and communications (we have a comms team within the technology team, which makes a huge difference). We have also collaborated with key business units to identify risk areas and the benefit of a mature approach to cyber security. There's more to do, but the foundations are there."
Laura Dawson, British Council CIO
"We have a separate Cyber security group - chaired by myself and including all the key service delivery managers in our department. This group is a spin off of our wider IT Security Group. The Cyber group meets every few weeks and we have specific actions in place designed to improve our intrusion detection and response, as well as improving our basic measures, for example from internal attack. I discuss the key issues with our Leadership team on a quarterly basis (as part of a regular detailed update I give to our Leadership Team), as well as on an ad hoc basis as required. Welcome Break is a potential terrorist target and so the whole organisation takes security very seriously - including involving the Metropolitan Police as well as our IT security consultants from PwC. Recent high profile cyber attacks are a timely reminder to us all that we must take this threat very seriously. Enormous damage can be done to the reputation and profits of a business as a result of a cyber attack - so we remain vigilant."
David Wilock, Welcome Break IT Director
"Cyber security is a board-level priority and I have presented and led debate at multiple committees including executive, audit and risk. As a key pillar of the IT strategy, this topic is frequently discussed, and ringfenced funding has been secured. An ongoing programme of education and briefing has been established for the leadership and board, and I can only see cyber security continuing to be an increasing focus of my time."
Giles Baxter, Arthur J. Gallagher CIO
"Security is taken seriously at the university and is regularly discussed both in senior University meetings and in the IS leadership team. The executive board has recently made training in information security and compliance a statutory requirement for all staff. Meanwhile I am working with the head of security and compliance to communicate with all faculties executive groups about the need for secure management of information. IS is working to develop the appropriate framework of policies, guidelines and standards needed to ensure our data is protected. The policies are to be approved at university executive board level, with subsidiary guidelines ratified by other committees.
The head of security and compliance is a member of the IS leadership team. She has the respect of all the most senior members of the university and is listened to when she advocates an unpopular course of action – at her request we recently delayed launch of a key statutory tool for two days to conduct a privacy impact assessment. She chairs a sub-committee on information security with senior members from across the university. The security team reviews all change requests made to the change advisory board and has the opportunity to veto or modify any change on security grounds."
Carolyn Brown, University of Westminster CIO
"We have strong sponsorship from our CEO and an ongoing Security programme. I employed a CISO two years ago (there was no in-house security capability when I took up position). I am the Executive owner of information security risk and as such I report formally to our shareholders, our CEO and our Executive Board as a minimum, each month on security operations and our wider programme. Our CISO provides a more detailed security update to the leadership team and I have initiated a communications programme around our security team including a site on our intranet and I have employed a Security Analyst whose sole role is to communicate, train, engage and receive feedback from our wider business on information security issues including senior management. As part of the UK's critical national infrastructure, we are regularly updated by the Government's security services and this helps to keep information security high on our CEO, Board and senior management teams agenda."
Andrew Quail, SGN CIO
"Information Security comes under my responsibility and is something we have really established this year, allocating someone to be solely responsible for information security creating policies and establishing a Security Steering Committee across our group which is sponsored by myself and the Group CEO. We have updated and implemented several policies this year and have sponsored the person in role to commence an MSc in Cyber Security. We have also established relationships with Carsten Maple who heads up Cyber Security at the Warwick University, this was established through my professional network."
Sean Harley, Ascential CIO
"AXA takes a global approach to managing information security risk, although accountability for deploying the controls and monitoring their effectiveness rests with each local business. To manage this model I have employed a head of information security who reports directly to me and is given a significant budget each year to test and improve the controls we have.
Cyber security risk is one of the key risks recorded and monitored at a global and local level. It receives air time at monthly information security meetings, IT board meetings and the executive risk committee. We also employ information and data security officers across all of our AXA UK and Ireland businesses, each of whom has a dotted reporting line into my head of security. We also invest significantly in external auditing and testing of our information security controls, the results of which feed directly back into our information security strategy on a plan, do, check, act basis.
Finally, as a major part of the global AXA group, we contribute significantly to global efforts to understand, identify and control security risks at both an AXA level and an industry level. I am extremely confident in our ability to protect our customers' data, and that confidence was justified when we successfully detected and prevented a cyber-attack in 2015. But I will not rest on my laurels: cyber risk is about the most dynamic thing I have to contend with and I will continue to invest heavily in this area both financially and with the industry's best talent."
Kevin Murray, Axa COO
"When I joined Low Cost Travel Group I made cyber security a top agenda topic at the senior exec meeting as well as at the architecture committee. I established a monthly penetration test executed by a third-party specialist; all feedback coming from the test is implemented as a top priority in the sprint backlog of all products.
I periodically make the entire company aware of any news and new trends in the cyber security arena using the IT blog and newsletter, while the exec board receive a detailed monthly report on any vulnerability and risk that the penetration tests highlight. It is vital that the entire company is aware of any risk and have a plan on how to handle specific events."
Francesco De Marchis, Low Cost Travel Group CTO
"Following my appointment, I recognised within technology that while we were addressing security as a business as usual activity, there was no real focus to assess and deal with these emerging threats. I now have a team managing all aspects of security and business continuity across the global business, not just in technology. I am a standing member of the operational risk committee, so our current position and strategy is regularly discussed and periodically reviewed at the Dentsu board meetings. Dentsu acquired the business in 2012 and is our parent company."
Mike Young, Dentsu Aegis CIO