The CIO's Job � Protecting What Matters

By James Menendez

(Back to article)

IT security is a core business concern. Malware, hackers, sabotage, natural disasters, terrorist actions or accidents could affect an unprotected enterprise at any time. Most CIOs are already implementing security measures such as firewalls, anti-virus and backup services, and conducting business-continuity and disaster-recovery planning.

However, IT's customers rarely have the same view on protection and security. They just want reliable IT systems that are ready whenever they need them. Even if they appreciate the need for security measures, they don’t want to have to remember a stack of passwords or worry about running complex backup procedures. They may also be unaware of security risks, such as the vulnerability introduced by writing down passwords, losing their laptop or cell phone, or opening the door to malware by clicking on links in emails from unknown senders.

At the same time, as customers become more tech-savvy, they are clamoring for access to the latest technologies that can enhance collaboration, mobility and productivity. If these tools are to be introduced and endorsed by the business, you must find a way of integrating them with existing systems and applications so that their benefits can be exploited―without compromising security or the enterprise's assets.

For CIOs, the issue is how to bridge the gap between what end consumers need, want and demand and how to balance the security risk and cost against the business benefit. As a CIO, the question is how do you achieve your business objectives with security initiatives that reflect the actual value-at-risk, apply appropriate expenditure, and enable more effective management of risk across the enterprise?

Protecting the Enterprise

So, how can a CIO protect the enterprise? First, define a set of assets that receive a prioritized level of protection. In practice, this means, for example, protecting or duplicating the hardware that supports the ERP system will take precedence over ensuring the availability of individual PCs. Treat linkages between and information about customers, suppliers and partners as critical, and implement and embed strict controls into your operations to provide demonstrable protection and peace of mind for these entities.

If mobile and remote workers are allowed to use mobile devices such as laptops or PDAs to access corporate resources or work remotely, they will almost inevitably end up storing confidential and other corporate information on those devices. What happens to the information on the laptop or PDA if they lose it, or if it gets damaged or stolen? Not only does the information need to be duplicated elsewhere, so the worker can access it again at short notice, it must also be protected from unauthorized access should the original device fall into the wrong hands.

In addition to offering Internet-based backup and restore services that are ideally suited to mobile working, a managed data-encryption service can also prevent information from being accessed on lost or stolen equipment. Once the user has authenticated with the service, encryption runs transparently as a background process, automatically protecting valuable data without requiring the user to take additional steps.

Lights On

For all employees, whatever their role, reliable, always-available IT is vital to carrying out their jobs. If there’s a problem, whether it’s their own PC that fails, a corporate application that goes down, or an email server that crashes, the end-result is the same—they can’t get on with their job, and to them, IT has let them down.

For the CIO, however, the objective is to provide an appropriate level of protection for each IT service, achieving a balance between two costs: the certain cost of security investments themselves; and the potential costs of a breach. Security spend should be prioritized towards necessary, relevant and business-essential security initiatives. For instance, a key corporate application going down could potentially affect the entire enterprise. An email server crashing could make communications difficult for a proportion of the workforce. But a single PC failing will directly affect just a handful of users.

There is also a need to distinguish between threats and vulnerabilities that cause "normal" security breaches, which can be handled by technology and controls, and breaches that have high-impact consequences (directly eroding earnings or brand integrity by becoming public knowledge), which require special attention and meticulous care. Having a sound infrastructure is only part of the solution, however.

It is also vital to combine technology-based security measures with user education and behavioral changes, and to establish security policies that are rigorously enforced. Users need to understand, for example, not just why passwords must not be written down or shared, or why regular data backups are important, but also how to handle the threats coming directly to their PCs (usually via email) that could affect the entire network.

New Tools & Technology

Your community of business users may well include a number who are very technology aware, and who make use of a wide range of consumer devices and Web-based technologies they feel would enhance their productivity at work. BlackBerries, iPhones, instant messaging, VoIP, Internet-based file-sharing, RSS feeds, social networking sites, Twitter, blogs—these and more could all have a role to play in enhancing collaboration or information sharing in the working environment—but they would need to be integrated with existing business systems and security measures so the advantages can be exploited safely and securely.

Users’ impatience to see these tools installed may mean, however, that you have to deal with the potential security issues that arise from so-called "grey nets" or "shadow IT"—networks of applications and devices installed by end consumers that are not sanctioned by the IT department, and which may therefore expose the enterprise to unknown risk.

A serious security breach could damage your company’s reputation, brand image and competitive position, taking time and resources to correct, distracting resources from core business activities, and jeopardizing compliance. But most security incidents are not the result of a coordinated attack, rather they stem from simple human error.

Whether it is carelessness, or deliberate circumvention of “awkward” security policies, mundane everyday user activities present a significant danger. The trick is to strike a balance: protecting against security risks without unnecessarily affecting business operations.

James Menendez is the VP and general manager of Global Security Solutions (GSS) within CSC's North American Public Sector (NPS)―Enforcement, Security and Intelligence division. In this role, he has executive oversight and accountability for the direction of information risk management service delivery across all global CSC markets and internal CSC systems and networks. Mr. Menendez is responsible for driving the development and delivery of GSS to commercial and public sector clients globally to include risk management consulting, systems integration, compliance management, managed security services, security outsourcing, and also including off-shore security service delivery.