Security and the role of the CIO

Information is one of the biggest assets any organisation has; the problem is that many organisations do not appreciate how important it is until their security has been breached.

Cybercrime is estimated to cost over $1 trillion annually across the world. In the UK alone, the Cabinet Office estimates the cost to be £27 billion with almost half involving the theft of intellectual property.

This is why information assurance has to be a top priority for any CIO. The benefits of getting it right in advance are exponentially greater than trying to recover from a breach.

Last year information security topped our poll as the most important attribute of the IT professional of the future.

In November 2011, the government released The UK Cyber Security Strategy, setting out how they will assist UK businesses in protecting themselves against risk.

This includes improving the levels of professionalism in information assurance, something that we have been working towards.

So when considering information assurance, CIOs can start by establishing what they mean by information, the value of that information and the scale and scope of the issue.

How can you evaluate the worth of something unless you have sight of potential threats to the bottom line, supply chain and reputation?

This also needs to be explained and agreed with the board. Buy-in from them is the only way to get the rest of the business to understand.

Information should be audited and valued in the same way as any other company asset. Appreciation for its value is key and this will ensure that those at the top take responsibility for information assurance.

The same considerations for more traditional safety of information also apply to digital information, including availability, integrity and confidentiality.

Recruitment issues To get this right, a CIO needs to recruit the right team, be it in-house or third party contractors. Sometimes, within business, there is an assumption that an IT professional is all things to all people and this is clearly not the case.

I believe it’s important that, within large organisations, information assurance specialists are identified and provided with the right training to manage information assurance effectively.

A shortage of the right skills or attempts to shoe-horn someone into this role can be as disastrous as not having personnel in place at all.

The CIO also needs to work with other departments to make sure there is a strong plan in place for protecting information. For example, adhering to the Data Protection Act and ensuring processes for dealing with information, are engrained in people, as well as having strong communication links within the organisation.

It is crucial for an organisation to have agile risk assessment in relation to information assurance as the risks are constantly evolving.

There is often a misconception that the risk is about destruction but it is as much about corruption of data that can have adverse affects on trust and reputation.

Finally, a CIO needs to continue to promote and empower all members of staff in managing their own information assurance – giving people the confidence and the right tools to do this will be the difference between success and failure.

Everyone within an organisation needs to appreciate that information assurance is not about scare-mongering or restricting; information assurance is about enabling an organisation so that risk is effectively managed and they can continue day-to-day business without worrying about security breaches.

David Clarke is chief executive of the BCS

Pic william.neuheiselcc2.0