security padlock

Cybercrime is on the tips of the tongues of the media, government and CEOs that influence the day-to-day delivery that the CIO is responsible for, and thus has become a responsibility of a large proportion of CIOs. I was among the CIOs gathered in London at a CIO UK roundtable earlier this month to discuss just what security means for our role in 2014, and what we need to do to ensure our organisations are safe in a world where cybercrime is prolific.

Is cybercrime a trend too far or simply a risk that the management skills have been in place to mitigate since time began? This was a controversial point given our knowledge that the issue is growing in impact but as the group reflected more and more, people came round to the concept that actually all of the skills to manage the risk exist already, and maybe that the vast majority of the issue is about education.

The concept of information security has existed for a great deal of time; after all it is one of the themes through Charles Dickens Bleak House; the theft of legal data and the impact that has on the characters. If Charles Dickens was writing stories to educate people in 19th century, then our group of CIOs quickly came to the realisation that maybe that was a good way to start to educate our organisations.

Protecting the corporate system from cybercrime is comparable to the public health campaign to increase knowledge of safe sex, suggested one such analogy about educating organisations. Don't just put the memory stick in and wriggle it around, make sure it is protected first.

In all seriousness, however, the idea that good practice is ingrained into all walks of life was something that all of the CIOs settled on. While the risk of cybercrime increases through the complexity and ingenuity of those committing the crime, the awareness and saturation of that awareness will also increase. A further analogy was the 'Clunk, Click' campaign from the late 1970s; everyone in the room remembered a time when people died by being flung through a car window, now with a small piece of legislation and the saturation of a generation's opinions very few people die in a car crash in this way.

What is in a name also became a subject of debate; Cybersecurity, InfoSec and InfoGov were all covered. A short sharp intake of breath escaped as the generation gap was revealed to have an impact upon which phrase worked best. The millennium generation are clear on what cybercrime meant even if in reality cyber is 'simply' the Greek for communication.

Engaging the board is a cost versus risk skill. What is the appetite for the risk? The exposure if the worst happens and the mitigation cost to stop something happening. All of the CIOs were clear that simply asking the organisation to complete a CBT (common basic training) course once a year (invariably the day before Christmas Eve) wasn't going to particularly mitigate the risk, but at least it would increase the knowledge of the issue by some small degree.

The debate moved further in this space, on to how hard it is to gain engagement at a board level to spend money on the risk, when it is so hard to eloquently describe the actual size of the risk itself. Tongue in cheek, it was suggested that the best way to get engagement of a board is for an incident to happen, although often the CIO is the one to go if this does happen.

A straw poll of organisations present with insurance to protect for cybercrime was relatively low, a surprise but then to hear the murmurings of insurance being too late was also refreshing to understand. CIOs 'get it', insurance for this kind of risk is not enough, the financial repair of a cybersecurity disaster can be catastrophic never, mind significant.

Further thoughts

Images of several million number plates are collected every day by the police forces. To store those securely and not on the cloud would make this capability impossible to complete. This consideration took us on to a further debate; the categorisation of information and the key to affordable cyber security. The concept of securing every number plate photograph is mind bogglingly large, however, the number plate doesn't need to be stored securely, its an everyday piece of information that almost anyone in the age of the smartphone and camera can and probably does add to. What does need to be secure is the analysis, the algorithms and the intelligence. The secured data is the element that gives meaning and delivers insight against the volume. With this understanding though also comes the complexity of categorisation, something that every CIO agreed was a much more difficult task than it would appear to be on paper.

On one of the hottest days I have ever had on the tube in London I learnt another fact from my fellow CIOs; that there is a prize set at £1 million for someone to come up with a way to keep the tube cool, and one of the serious suggestions, apparently is to put blocks of ice under the seats at the end of each line! Well, I think that the next time the CIOs are asked to come together maybe they should try to tackle this problem, as we seem to have the issue of cybersecurity in our hands, other than the right name for it.

Richard Corbridge is CIO of the National Institute of Health's Clinical Research Network, and was placed at number 15 in the 2014 edition of the CIO 100.