Security of data and e-commerce is a priority, as is compliance in light of the first prosecutions in the US.
There will never be a time when CIOs can relax about the security of their systems. Both internal and external threats are on the increase, especially as the boundaries of enterprises continue to grow with mobile and wireless-based applications.
Security is still mid-point in the top 10 concerns but is likely to rise in the foreseeable future.
There are several different strands of security that IT directors worry about. The internal data and systems and keeping the organisation safe from hackers and viruses are hard enough in themselves.
They also need to ensure that online business transactions and customers are safe. The growth in identity theft and online fraud is frightening, and although the introduction of chip-and-pin for retail and more complex online authentication processes should help in the battle against fraud, it is still up there at the forefront of security worries for IT directors.
Then there is the threat to security from external events, which is really business continuity, but in IT terms begins as disaster recovery. In the past year alone businesses have had to cope with terror attacks on London’s transport network, the Buncefield oil depot explosion, floods, fires and major power failures. Planning to keep systems secure and the business up and running when some similar disaster happens takes the involvement of the entire management team.
Even though the business continuity market is maturing, which ought to make life easier for the IT director, after the London bombings some have realised that there is little point in having fail-safe mirrored systems in a different location in the same city. If everything in that city goes down, the business will go down with it. However, at least all the high profile incidents of the last year have focused senior management’s mind on this problem, and they are now actively helping, rather than just asking how much business continuity will cost.
"Keeping the business operating in the face of threats, whether against the systems themselves, or against the business or enviroment it operates in is part of any IT director’s basic role"
Combating online fraud
Of course financial institutions have always had a high profile where security is concerned. Combating fraud and ensuring business continuity are still very high on their IT directors’ agendas. For example, HSBC is continuing to work against online fraud, and will introduce a two-factor authentication technology in the UK to cut internet crime for its online customers later this year. Its’ business continuity planning now also takes into account the risk of a bird flu pandemic.
As a significant part of its business is in Asia and the Far East, HSBC has predicted that as many as half its staff could go sick if a pandemic begins and has made plans for staff to work at home or via video and teleconferencing links.
Phishing hits RBS
RBS, like all the other banks, says it has to put security first, but no company is invincible. Earlier this year, RBS hit the headlines when its online banking customers were targeted by phishers.
The emails came from an address that looked very similar to the legitimate RBS email address and were sent out to many customers asking them to click through to a website.
The bank also has its own IT security service arm TrustAssured. Last summer, TrustAssured launched a digital ID service, Eident, providing 40,000 businesses connected to VOCA, formerly BACS, the automated payment and clearing organisation, with digital certificates. And LloydsTSB has begun rolling out a token-based authentication system to customers to encourage more of them to use the online service.
But it is not just the financial arena that is reliant on stringent security systems. Any business that does transactions over the web or has wireless capabilities is vulnerable and in today’s business environment, that means every organisation. The rise in identity theft has made some customers wary about providing some personal details over the web, but any successful business has to perform web-based transactions and ensure their customers and partners are confident about the security of those systems.
Keeping the business operating in the face of threats, whether against the systems themselves, or against the business or environment it operates in is part of any IT director’s basic role, one of those dull but essential aspects to the job.
Compliance moves up the list
Next on the list of top concerns for IT directors comes compliance, which has moved up two places from eighth last year. Security and compliance work together for an IT director as many governance and compliance regulations were spawned from risk management and directly affect security.
The reason for their increased importance could be that we are seeing the first prosecutions in the US, which tends to focus the mind somewhat.
Overall there does seem to have been a positive response to compliance from CIOs. They are being seen as the experts in many organisations and are deeply involved in strategic planning to ensure their companies comply with the laws.
"The new regulations ask for methodical, measured approaches and offer different, business process driven perspectives"
Senior management executives have become far more aware of the IT department since realising what compliance can mean for their companies and in terms of their own personal responsibilities. Heads of IT are being asked to audit their IT systems, infrastructures and processes; and then use what they discovered to improve efficiency, security and productivity.
Companies now know better what systems and business processes they have in place, which ones work and which need modification.
Some are using them more effectively, often streamlining processes at the same time. There has not been time to argue about the relative merits of whether or not to implement, consolidate or modify something, or to delay it until the next budget round. It had to be done and organisations are reaping the benefits.
Many large organisations have admitted that they have a far better understanding of their processes and systems because of regulatory compliance, with some, including BT and Corus, saying they have turned the requirements into positive strategic actions.
The new regulations ask for methodical, measured approaches and offer different, business process driven perspectives. For many companies regulatory compliance is now part of everything they do. This has enabled the IT director to understand what resources and processes an organisation has and to begin to increase efficiency and throughput as a result.
It is too soon to tell whether the compliance laws will achieve what they were designed for but they are already offering organisations unexpected benefits. They provide CIOs with new opportunities to take a more active part in company-wide strategic planning.