Cyber security has always been high on the list of CIO priorities, and has been brought to the fore again by a spate of high-profile attacks which have cost CIOs and CEOs their jobs. As such it is a key responsibility for CIOs to keep up-to-date with the latest cyberattacks and the types of threats the company and its employees may face.
For CIOs new in role getting the winning combination of implementing security and putting it on the agenda at senior meetings is a challenge, as well as communicating the cyber threat to the whole organisation. According to The Global State of Information Security Survey 2016, 24% of businesses increased their security budgets last year. Here is our guide for starting CIOs on how they can present security coherently for board directors.
Creating a security framework
When a CIO presents a security strategy to the board they need to signify how important security is within the organisation. A 2016 survey revealed 45% of directors believed being technology savvy was the most unrepresented skills in the modern boardroom.
The responsibility of cybersecurity is something relatively new for CEOs to have appropriate levels of knowledge of compared to other skills. By explaining your security framework, with a responsive plan, the board will have the confidence and reassurance the company is in control of the issue by keeping track of the ever-evolving cyber threat challenges arising.
The strategy presented should be crisp and concise using security steps - such as how you are going to seize the risk of threats and what programmes employees can use for safer browsing. According to The Culture, Media and Sport Committee 25% of companies experience a cyber breach at least once a month with the problem growing, while half of the 2016 CIO 100 had suffered a cyber breach in the previous year. Using previous reports and analysis of the company's security plan, CIOs can produce a timeline of how you are going to make a safer and secure workplace and prevent the risk of hacking.
Customer credibility through security
Cyberattacks are mounting according to the 2016 report of Culture, Media and Sport Committee, with 90% of large organisations having experience in a security breach. The recent TalkTalk scandal, which saw over 150,000 customers personal details accessed and stolen, has shown a loss of public confidence in the brand with shares down more than 20% following the hacking. CIOs need to monitor possible threats and keep users on their side with an assurance in their service the company is providing.
A security programme in place will add credibility to the company, from its competitors and customers in ensuring their personal and bank details are in secure hands. According to the 2016 Global State of Information Security Survey, 53% of organisations have employee training and awareness programmes in safeguarding against incoming threats. The CIO should think from the customer's perspective in the service they are getting and whether or not they feel secure enough to use the product.
End-user security and a human firewall
A CIO's role in defending the work environment is challenging with the cloud and multiple internet devices being used by user around the organisation. The CIO needs to make the strategy relevant from board members to the newest recruit to reduce the internal and external cyber threat.
A CIOs main concern in implementing new technologies is security.
CIO David Walliker at Liverpool Women’s NHS Trust, is currently transitioning to a paperless system, by 2018. The project will enable hosptial staff to access patients’ medical records electronically. The system will ensure a faster healthcare service for patients on arrival .
Williker discusses how the paperless system will protect the Trust from confidential information being leaked.
He said “we have got a number of proactive tools with all our firewalls having penetration testing. We can detect if somebody is looking in the same postcode as you or same postcode of your next of kin. This has led to some disciplinary and an awful lot of awareness for staff”.
A CIOs security challenges are externally, as well as internally, for ensuring the staff's personal details remain private.
Security tools such as those monitoring user behaviour, where administrators can keep track of the programmes that are running, are beneficial for future updates and regular security checks. The use of monitoring can detect unusual login attempts or suspicious activity in preventing further attacks in the workplace.
Employees need to be aware of the security threats posed, with most attacks coming from clicking on links and certain websites. Basic security tools, such as firewall, can act as a barrier between a trusted and an untrusted network, with employers needing to be trained against security breaches. Enhancing security through programmes such as network behaviour analysis (NBA) will monitor traffic and any infrequent IT patterns. The analysis is beneficial for spotting new malware, saving time and effort for the IT administrators being able to focus on other responsibilities and locate any other possible threats.
Security in online voting remains a challenge in the UK. The UK government plan to introduce online voting, by 2020.
Jordi Puiggali is a CSO and SVP of Research and Security at Scytl, an online voting solution. Scytl have implemented a training programme to over 11,0000 UK election staff for the EU Referendum.
He said “implementing a security mechanism, mainly with access control, can see the people who are using the programme. Our main priority in security is protecting the personal information of the staff, who are in training, and keeping their user details private.
The implementation of security is a slow process with the ever-evolving threat to businesses. Adopting a collaborative approach, CIOs should avoid using technical jargon with an information overload when presenting to the board. A risk-based cybersecurity framework should be implemented, with 91% of board directors following this strategy, according to PwC's The Global State of Information Security Survey 2016. CIOs should outline a clear plan, of how security should become embedded as a priority from the CEO down and across the whole organisation.