Almost half of the 2017 CIO 100 organisations have experienced a security breach within the last 12 months. CIOs are now integrating security training and awareness programmes to help protect their organisations against incoming threats.
Following the WannaCry cyberattack, which disrupted 61 NHS organisations in the UK and more than 200,000 systems worldwide, cybersecurity remains an ongoing issue for businesses today.
CIO UK recently spoke to TalkTalk Business COO Duncan Gooding on how they are still overcoming their massive 2015 security breach, which resulted in £400,000 in fines and losses of £60 million. (See also: TalkTalk Business COO Duncan Gooding on security strategy since 2015 cyberattack)
A cultural change should result in staff becoming aware and responsive to security issues while also improving their skill set and attitude when it comes to security. Read on to find out how eight 2017 CIO 100 members are raising awareness of security and the safety of their organisations. (Read next: 8 steps for implementing a successful security plan)
"We have developed a new and more confident governance and assurance structure that takes a more objective approach to architecture and security. We have introduced FAIR [factor analysis of information risk] as a risk management and assessment methodology that allows a more balanced, less risk-averse approach. It has been used in assessing risks for both live systems and proposed changes and is allowing us to save time and effort later on.
"We are also covering key areas such as privacy, service and security by design and what that means so that expectations on how to deliver are managed."
Laura Dawson, CIO, British Council
"We are working to improve the group's information security position through training and awareness campaigns, and preparing for GDPR legislation due in May 2018, where we need to have significantly more insight into how personal data flows across our estate and how it is secured and protected in each of its states."
Darryn Warner, CIO, Interserve
"Security is a critical concern and we want this to be a key element of our culture. To this end, all our developers are trained in secure coding practices, we have 'MacGyvers' in all clusters: individuals with additional security training who are responsible for identifying and raising security concerns, as well as being a super-local centre of excellence for security skills."
Mark Holt, CTO, Trainline
"Barclays became the first global financial institution to focus on holistic security which redefines conventional approaches to cybersecurity and comprises cyber and physical security, as well as intelligence, investigations, and resilience.
"An integrated security function covers the business environment and allows more visibility into normal and abnormal activities. It adapts security strategy to the current digital environment in order to bring innovation to the next level in the safest way possible and promote the benefits of secure business to all our clients, employees, and stakeholders. 'Security by design' has become a core part of the processes at Barclays."
Elena Kvochko, CIO, Group Security Division, Barclays Bank
"Digital literacy is regularly communicated at all levels of the organisation through workshops, intranet, noticeboards or email briefings and advisories. An example has been cybersecurity and keeping staff informed via regular email and intranet advisories such as 'Anatomy of a malicious email', a cybersecurity section at our welcome day for new starters, a collection of cybersecurity do's and don'ts posters for staff noticeboards around the country, and a board workshop about cybersecurity risk and mitigation."
Greg Morley, United Living's CIO
"A security awareness roadshow addressed our general user security awareness – a new and home-grown approach to engaging face to face with our employees across the group that has been successful and is set to continue and evolve to make increased use of our internal creative and marketing resources. The groundwork for this new initiative was completed last year with the creation of our security content, shared with the business in monthly communications within our group."
Sean Harley, Ascential's CIO
"We have also tried to be innovative in the way in which we approach IT security, taking a 'rights and responsibilities' approach with end users, rather than a prescriptive, policy-based approach. For example, we are trialling the use of 'self-managed' laptops, where scientists get the rights to manage Crick-provided equipment, but are accountable to me as CIO for following good practice guidelines, which we supply."
Alison Davis, Francis Crick Institute's CIO
"I set up an information security steering group in the first three months of joining after reviewing where we were on the infosec roadmap. The steering group is 80% of the management board of Brussels Airlines and is a mandatory monthly meeting. It has opened eyes to the current level of maturity in information security and is now the group that is authorising spend and priority on the three-year programme that is now in place."
Simon Lamkin, Brussels Airlines' CIO