Almost half of the 2017 CIO 100 organisations have experienced a security breach within the last 12 months. CIOs are now integrating security training and awareness programmes to help protect their organisations against incoming threats.
Uber has become the latest organisation to have had its data breached. The ride-sharing company admitted it paid hackers $100,000 (£75,500) to delete stolen data after 57 million accounts were compromised late last year.
CIO UK recently spoke to TalkTalk Business COO Duncan Gooding on how the company is still overcoming its infamous 2015 security breach, which resulted in £400,000 in fines and losses of £60 million. (See also: TalkTalk Business COO Duncan Gooding on security strategy since 2015 cyberattack)
A cultural change should result in staff becoming more aware and responsive to security issues while also improving their skill sets and wider attitude towards security. (Read next: 8 steps for implementing a successful security plan)
Read on to find out how 12 digital leaders are raising awareness of security and improving the safety of their organisations.
"Around cybersecurity we are putting good practices into IT and investing in the technology to help protect us but clearly, the weakest link is always going to be the workforce. As part of the mandatory training there is an IT security module which staff members have to undertake annually so we have a lot of mystery shopper type activities where we have been creating and testing our own viruses. We are sending out emails to our staff with fake viruses and seeing who have clicked on those links.
"We are also running poster and intranet campaigns where we are very much engaged with the workforce at large in terms of getting them to understand it. The media has done a good job for the NHS and the WannaCry scandal because it has hit mainstream news and brought it to everyone's attention. We are now quite often getting staff telling us their worries about cybersecurity and how they can minimise their risks."
Mark Stanton, Dudley Group NHS Foundation Trust's CIO
"We have developed a new and more confident governance and assurance structure that takes a more objective approach to architecture and security. We have introduced FAIR [factor analysis of information risk] as a risk management and assessment methodology that allows a more balanced, less risk-averse approach. It has been used in assessing risks for both live systems and proposed changes and is allowing us to save time and effort later on.
"We are also covering key areas such as privacy, service and security by design and what that means so that expectations on how to deliver are managed."
Laura Dawson, British Council's former CIO
"We are working to improve the group's information security position through training and awareness campaigns, and preparing for GDPR legislation due in May 2018, where we need to have significantly more insight into how personal data flows across our estate and how it is secured and protected in each of its states."
Darryn Warner, Interserve's CIO
"Security is a critical concern and we want this to be a key element of our culture. To this end, all our developers are trained in secure coding practices, we have 'MacGyvers' in all clusters: individuals with additional security training who are responsible for identifying and raising security concerns, as well as being a super-local centre of excellence for security skills."
Mark Holt, Trainline's CTO
"Barclays became the first global financial institution to focus on holistic security which redefines conventional approaches to cybersecurity and comprises cyber and physical security, as well as intelligence, investigations, and resilience.
"An integrated security function covers the business environment and allows more visibility into normal and abnormal activities. It adapts security strategy to the current digital environment in order to bring innovation to the next level in the safest way possible and promote the benefits of secure business to all our clients, employees, and stakeholders. 'Security by design' has become a core part of the processes at Barclays."
Elena Kvochko, Barclays Bank's CIO Group Security Division
"Digital literacy is regularly communicated at all levels of the organisation through workshops, intranet, noticeboards or email briefings and advisories. An example has been cybersecurity and keeping staff informed via regular email and intranet advisories such as 'Anatomy of a malicious email', a cybersecurity section at our welcome day for new starters, a collection of cybersecurity do's and don'ts posters for staff noticeboards around the country, and a board workshop about cybersecurity risk and mitigation."
Greg Morley, United Living's CIO
"A security awareness roadshow addressed our general user security awareness – a new and home-grown approach to engaging face to face with our employees across the group that has been successful and is set to continue and evolve to make increased use of our internal creative and marketing resources. The groundwork for this new initiative was completed last year with the creation of our security content, shared with the business in monthly communications within our group."
Sean Harley, Ascential's CIO
"We have also tried to be innovative in the way in which we approach IT security, taking a 'rights and responsibilities' approach with end users, rather than a prescriptive, policy-based approach. For example, we are trialling the use of 'self-managed' laptops, where scientists get the rights to manage Crick-provided equipment, but are accountable to me as CIO for following good practice guidelines, which we supply."
Alison Davis, Francis Crick Institute's CIO
"First and foremost we take security really seriously and we have an InfoSec office to make sure all of our solutions we have deployed have got the right kind of security control. We are investing in InfoSec and cybersecurity as an asset itself. But you can only be effective and as good as the attackers.
"I have got a team of cybersecurity architecture and that starts with the data centre. We have also got the core network perimeters that sit in and around the bank that we control. It is increasingly going to come up on the radar and it is a tough gig to ensure we stay one step ahead but I am pretty pleased that at the moment I think we are."
Martyn Atkinson, Metro Bank's CIO
"I set up an information security steering group in the first three months of joining after reviewing where we were on the infosec roadmap. The steering group is 80% of the management board of Brussels Airlines and is a mandatory monthly meeting. It has opened eyes to the current level of maturity in information security and is now the group that is authorising spend and priority on the three-year programme that is now in place."
Simon Lamkin, Brussels Airlines' CIO
"My boss tells me that I am the only person that has ever made technology understandable. I am not an IT person so I don't have that background. I am able to spend a lot of time thinking about the scenarios that I need for them to understand the impact of technology and what it can do for us.
"For example, cybersecurity when we were looking at the scenarios if this happens then what would be the immediate effect. They responded with that can't happen, can it? So this is what we have got to do is to make sure it doesn't happen or if it does how we deal with it. You can't predict these things but it is how you will respond to them and I think using those scenarios as stories is a very powerful way of explaining it and also turning it into business and revenue impact. We need to replace this ageing infrastructure because if we don't we will not be able to put the product in and respond to attacks."
Sharon Cooper, BMJ's Chief Digital Officer
"Security is a big issue for us at Greenpeace and it has been for many years. We are an organisation who campaigns strongly around the world. We have been a user of two-factor authentication for some time across all of our users and culturally security is something that is embedded in our ways of working.
"We have security training that we put people through and getting that balance right, of course, is something that I address locally at a UK level, the IT Council and through our Information Security Officer to make sure that we are managing it effectively."
Andrew Hatton, Greenpeace UK's Head of IT