Online security is rarely out of the headlines these days as hackers focus their attacks on the world's top websites, compromising the data of millions of users. From the Heartbleed bug, which has undermined web encryption, to everyday criminals looking to steal online bank details, the pressure is mounting on organisations to tighten up their data defences.
Yet many organisations are failing to pay sufficient heed to these threats, according to the online security chiefs who are charged with protecting corporate data. Never mind that a serious attack can devastate a corporate reputation, leading to the chief executive's resignation (as in the case of US retailer Target) and potentially bringing hefty fines from regulators if consumer data is stolen. Too many chief executives and boards of directors simply don't believe that it will happen to them. IT bosses say they struggle to convince companies of the value of implementing expensive security systems.
To explore these issues the Guardian ran a roundtable discussion, which was sponsored by Symantec and Fujitsu, looking at ways to help IT executives promote the value of data security to company bosses.
Some of the online security sector's leading figures gathered to discuss the best methods of protecting data. They looked at ways of spreading the message to staff about basic online safety. And they examined the changing roles of chief information officers (CIOs) and chief information security officers (CISOs), the managers in charge of protecting data.
Basic security
Online security is often a case of getting the simple things right rather than looking for complex solutions, according to Edd Hardy, head of security assessment at consultancy Hut3. Most problems arise from organisations failing to put in place basic security measures, for example staff may have weak passwords of four characters.
"Really sophisticated hacks aren't that common, it could be just that there is no password on your firewall," he said. Other speakers pointed to simple failings such as people leaving a company and taking away confidential data.
The security industry may have to shoulder some of the blame for this lax approach, having over-promised with anti-virus programmes. As Darren Argyle, senior director, EMEA, information security, Symantec, said: "The industry pretty much failed a lot of organisations by saying, 'we will provide protection' and anti-virus was seen as the panacea."
Yet additional security measures are needed to provide adequate protection, he said, such as doing reputational checks on websites. But he warned that breaches of data security are "inevitable", so the important question for companies is how they deal with them when they happen.
But first, organisations need to acknowledge that they are vulnerable to attack. According to Charlie McMurdie, senior cyber crime adviser at PwC and former head of the e-crime unit at the Metropolitan Police, some companies would prefer to ignore data breaches than confess they have a problem. She said she had investigated computer hacking scams and informed companies that they had been victims, but many didn't want to know as this could damage their reputation. "Companies are putting their heads in the sand," she said.
One of the greatest challenges for CIOs is getting chief executives and boards to loosen the purse strings and spend significant sums on security systems. Javier Campos, chief information officer at marketing services giant WPP's GroupM division, said this was a struggle since spending on security provides no obvious financial benefit: "Most IT projects have a fairly clear return on investment – I spend X and I get Y. When it comes to security, what is the return on investment? It is hard to say you know the risk until something really big happens," he said.
He added that it can cost millions to give every website internally the secure "https" security protocol, which ensures data sent over online networks is protected from eavesdroppers and hackers. But when someone asks why he has spent 10% of his budget on this, all he can say is "well, it's safer".
The panel agreed that an important way of improving security was by raising awareness across an organisation about the need to take care with data, for instance, by ensuring staff don't get conned into clicking on a dodgy link or leave their laptop in the pub.
But independent information and security risk executive Jitender Arora said: "There's no point in measuring awareness, it should be a way of life. Just the way we educate our kids, it's the same in the corporate world, educating people on a day-to-day basis about how we expect them to behave."
There was general agreement that cyber-security goes beyond simply protecting a company from attack and needs to be seen as part of the overall digital strategy. CIOs need to take opportunities to contribute to business development as they arise. Rob Lay, solutions architect at Fujitsu UK&I, said: "It is about business not technology. What we see time and again is business practices not working. Education and awareness are about cultural change in the business."
For Dr Rick Norris, a psychologist from Critical Support Services and Solutions, there is a mismatch in outlook between security executives and chief executives. CIOs and CISOs tend to be pessimists, believing that security breaches are inevitable. But this doesn't wash with CEOs who are inherently optimistic and may minimise the risks of getting hacked. "If I buy a wonderful system what do I get? Business as usual. It is difficult to justify when I see nothing in return," said Norris. For CEOs, this seems like a waste of money. The answer, the roundtable heard, is to appeal to the optimism of CEOs and to show investment in security in positive terms, as an enabler of the business.
Risk management
The panel agreed that information chiefs have to get better at selling their services to chief executives. As Arora said: "I'd like to see them operating as if they are running their own shop, every year they are going to the board asking for more money and exceeding expectations."
The roundtable heard an effective way of making a case for risk management is through scenario planning, which can be deeply involving for boards of directors and powerfully highlights the issues.
One of the big questions facing the panel was about the future of the chief information officer's role. How will it evolve – or is it dead? With the consumerisation of IT making it is easier for ordinary people to use, could the CIO become redundant? According to IT research firm Gartner, chief marketing officers will spend more on IT than CIOs by 2017. Meanwhile, the increasing significance of big data has led to the rise of the post of chief digital officer. These developments threaten to do away with the need for CIOs and CISOs, the roundtable was told.
Organisations are collecting ever more data from customers in the belief that it will give them greater insights into their behaviour. But Mark Oakton, a policy adviser at InfoSec Partners, came up with a novel solution to the problem of data-overload. "Let's get rid of some of our data and not have as much. Let's have a better handle on the customers we deal with," he said.
Only six of the FTSE 350 companies have a chief information officer on the board, according to a report from Grant Thornton (pdf). For Michael Faber, managing director of Regal Training and Consultancy, this statistic shows the importance of getting more IT specialists on to boards. "We won't achieve the results we want without buy-in from the board," he said.
So how can the industry train the right kind of people and ensure that CIOs and CISOs become a vital part of the future? Nigel Harrison, a director at Cyber Security Challenge UK, a body charged with bringing more talented people into the cyber-security profession, explained that it was important to find people with a broad range of soft managerial skills rather than just technical expertise. "The days of looking [for] aspiring CIO from the techie stream are absolutely gone. That ability to identify people who are rounded and savvy in business, who see information as an enabler of business – some of those messages are starting to get through," he said.
Improving the standing of information chiefs inside organisations will enhance their ability to persuade management to put in place security measures to ward off the hackers. But they will have to show how they create value for those organisations rather than just providing a defence against some invisible threat.
Key discussion points
As information and data become an integral part of daily life, we need to ensure that it is not vulnerable to theft. The work of chief information officers (CIOs) and chief information security officers (CISOs) in protecting data has assumed huge importance. But these managers face a challenge in showing organisations the importance of risk management. How do you persuade a company to spend significant sums on protecting their data from hackers without sounding like the voice of doom?
At the table
Tom Brewster (Chair) Journalist
Michael Faber Managing director, Regal Training and Consultancy Limited
Charlie McMurdie Senior cyber crime adviser, PwC
Rob Lay Solutions architect, Fujitsu UK&I
Paul Appleton Head of information security, G4S
Edd Hardy Head of security assessment, Hut3
Dr Rick Norris Psychologist/executive coach, Critical Support Services and Solutions
Andy Sands Manager, information security and governance, BBC
Darren Argyle Senior director, EMEA, information security, Symantec
Nigel Harrison non-executive director, Cyber Security Challenge UK
Mark Oakton Policy adviser, InfoSec Partners
John Swanson Head of security offerings, Fujitsu UK&I
Jitender Arora Information security and risk executive
Tony Latienda Business development, marketing and bidding manager, UK Power Networks Services
Geraint Price Security expert, Royal Holloway, University of London
Javier Campos Chief information officer, WPP's GroupM
This content has been sponsored by Symantec and Fujitsu, whose brand it displays. All content is editorially independent. Contact Ashley Evans on 020 3353 2758 (ashley.evans@theguardian.com). For information on roundtables visit: theguardian.com/sponsored-content
