How CIOs are protecting their organisations from cyber attacks

Organisations are becoming more and more vulnerable to cyber attacks, and CIOs are responsible for ensuring they are protected against the growing threat.

More than half of the members of the 2018 CIO 100 detected a breach in the last year, while 81% expected to to be spending more on their defences in 2019.

CIO UKspoke to some of the top IT business leaders in the UK about their cyber security strategies.

Read next: How to hire top cybersecurity pros

David Germain - RSA Group

David Germain - RSA Group

RSA Group CIO and CTO David Germain, who started the dual role at the general insurance company in 2017, took charge of building a new cyber security strategy at the organisation - starting by hiring experienced CISOs to work across regions in order to achieve best practice and create a collaborative approach.

"We refreshed all security policies and wanted to understand emerging issues across the industry, so ethical hacking and spotting vulnerabilities," he said.

Germain also outlined a migration to Office 365 and renegotiated some key telecommunications contracts, which brought about immediate business savings.

"We have been able to work with cloud providers to have an environment that allows them to do that themselves, and not have IT help build an environment," said Germain - as long as the right guardrails are established beforehand, of course.

Read next: RSA Group Chief Information and Technology Officer on the challenge of his dual role

Graeme Hackland - Williams F1

Graeme Hackland - Williams F1

One way in that Williams F1 CIO Graeme Hackland has helped to protect his organisation from cyber attacks is by developing an ecosystem of cybersecurity partners.

Hackland also deployed the Acronis hybrid cloud data protection solution as a way to protect the team's data backup - and to detect and terminate possible ransomware attacks.

"Here at the track, we absolutely stick to tier one [vendprs]," he said. "I need it to be 100% available for five days and then pack it up and either drive it in a truck to another track or stick it in an airplane. So we are very much tier-one vendors at the track.

"Everything else we willing to push the envelope wherever we can get the best performance."

Read more: Williams F1 CIO Graeme Hackland reflects on 22-year career disrupting the sport

Alan Hill - University of Exeter

Alan Hill - University of Exeter

University of Exeter CIO Alan Hill believes that putting the university through the National Cyber Security Centre's Cyber Essentials Plus certification programme has helped it win research grants from the Ministry of Defence and critical national infrastructure organisations, but he remains concerned about how he can keep sensitive research data secure.

"Now, we've got this juxtaposition; I need to protect some data, but we have an open data policy. Our research data is all open, but there are some things that I need to protect - intellectual property, which is going to make us income," he says.

"That needs a level of maturity in higher education in the UK that is guaranteeing that the vast amount of money that the government is going to pump into research, including after Brexit, that we need to take our responsibilities of guarding our IP and our research effectively for the nation. And that's why we've been building our security capability here."

He also feels that the board must understand the risk to ensure that defences are sufficient.

"What's important is the board gets that," he says. "The board understands that cyber security risk. One of the most important things in all the security work I do with the board, is to remind people that it is going to go wrong, and it's about how we react and respond that is important. They recognise it is going to go wrong, but nobody can say we were asleep at the wheel."

Read next: University of Exeter Chief Information and Digital Officer Alan Hill interview - Creating the digital edge

Cal Corcoran - Gatwick Airport

Cal Corcoran - Gatwick Airport

Gatwick Aiport relies on biometrics to help get most of its 46 million annual passengers through security in less than five minutes. CIO Cal Corcoran says the airport "does more with biometrics than most military-grade organisations - we know a lot about iris recognition".

He protects the airport's technical defences through a "Noah's Ark principle" that calls for two types of firewall, network security and every other technology the airport uses for protection.

"I double up on everything and that's what allows me to sleep at night," he says.

"If you buy a cheap ticket, that gets you airside and that airport is a great place to dwell for a few hours. You can hang around and nobody's going to say anything to you, so I think about cyber and with the CISO that reports into me at Gatwick I worry about cyber.

"I worry less about the technical threats, and the spotty 16-year-old in their back bedroom somewhere - we have very good technical defences and very good process defences. I worry more about the combination of social engineering and technology engineering. So somebody willing to physically come on site, present themselves as an employee or passenger, who are very technically savvy. I worry about that more than I do about the person who's going to sit in their bedroom wherever it is."

Read next: Gatwick Airport CIO Cal Corcoran interview - Delivering Internet of Things at scale

Simon McCalla - Nominet
© Nominet

Simon McCalla - Nominet

Nominet CTO Simon McCalla's strategy for protecting the critical national infrastructure of the Domain Name System (DNS) behind 12.5 million .uk domains begins with creating the right culture.

"It's about having every member of staff understanding the excitement and the responsibility and challenge of maintaining that infrastructure, and doing that in such a way that we can keep a high level of service not just from a technology perspective but from a security and a customer service perspective as well," he says.

"DNS infrastructure is quite unique. It needs a very specific set of skills. What we have to make sure we do is we have to have true diversity in just about everything we do. So for everything from network links to servers to locations around the world to versions of software we have, we have multiple redundancy and diversity in that so that we're not affected by things like zero-day exploits and key bugs."

Nominet's experience securing .uk over the last 25 years has allowed it to create a new business in the form of a Cyber Security division that helps organisations use real-time DNS analytics to pinpoint threats. The unit also markets NTX, a threat monitoring and analytics platform that will provide a launchpad for Nominet's international expansion as a broader technology business than just a domain name registry.

"We've been working behind the scenes to ensure that we can remove as many threats from .uk as possible, and some of that is stuff that we talk about openly, and some of that is stuff that we have to do quietly behind the scenes with law enforcement to tackle some of the bigger challenges, and we've been pretty successful at that," says McCalla. "This division is a kind of natural exposure of some of those skills and capabilities into a more commercial market."

Read next: Nominet CTO Simon McCalla explains how the company protects the DNS behind 10.5 million domains

Dave Roberts - Radius Payment Solutions

Dave Roberts - Radius Payment Solutions

Radius Payment Solutions CIO Dave Roberts protects the payment solutions and fleet services company through blending the best systems with the right cultural mindset.

"Cyber security is now a board-level agenda item with a spotlight on managing IT security, risk and compliance accordingly," he says. "In March 2018, following a two-year period of intensive work, Radius Payment Solutions successfully achieved the ISO 27001 Information Security Management Systems Certification.

"To reach this level of compliance it was important not just to have good IT controls and systems but also instill the right culture and adoption of security by design and best practice across the organisation.

"Working with third-party security vendors has helped to provide external insight and guidance on how to optimise organisational cyber security and reduce the exposure to known vulnerabilities. The IT security landscape is ever-changing and therefore needs ongoing attention to stay ahead of the emerging attack vectors."

Read next: CISO making strides to emerge as CIO peer amid growing cyber threat

Mark Walmsley - Freshfields

Mark Walmsley - Freshfields

Freshfields CISO Mark Walmsley protects the Magic Circle law firm by spreading his defences across people, processes and technology.

"You can't just buy a technology to resolve a problem," Walmsley told CIO UK. "You have to say how does my workforce work? What do they need to do? How are they most efficient? That's the people.

"Then you go to the process and document exactly what you're doing and what's acceptable. What does the road look like? And then the third thing is investing heavily in good technology, and there are a few products on the market at the moment that do very good insider threat technology."

Walmsley is particularly concerned by the growth of insider threats, which he mitigates through a zero trust security model and software such as the Dtex platform, which spots signs of unusual activity by analysing user behaviour.

"We have a full audit log of everything that's gone on and all of the alerts will trigger as soon as it's got connectivity back to the network," he said .

Read next: Freshfields CISO Mark Walmsley explains how he manages insider threats

Duncan Stott - Kier Group

Duncan Stott - Kier Group

Kier Group CIO Duncan Stott stays on top of cyber security issues at the FTSE 250 construction company through continuous learning and fostering a close working relationship with his CISO, Jim Griffiths.

In 2015, Stott took a year's Open University course in information security, which taught him the basics, and has kept up with developments by following the advice of experts and reports in the media. He divides the specific security responsibilities at Kier between himself and Griffiths.

"The CIO must own the IT and security strategy and communicate it well enough to the business executives that they are able to make informed decisions," Stott told CIO UK. "The CISO doesn't have to do that. The CISO has to implement the technical and people components of the strategy."

Stott relies on Microsoft for the bulk of Kier's technical defences.

"One challenge for CIOs in the security market is looking at the myriad of point solutions, many of which won't be around for long, as they'll either be acquired or they'll decline," he said. "That is why Kier has adopted a Microsoft strategy. We believe that Microsoft is one of the world's leading players and has got a toolset that is broad, deep and future-proof."

Read next: Kier Group CIO Duncan Stott explains how he coordinates cyber security with board and CISO

Nicholas Lloyd - Permanent Joint Headquarters of the MoD

Nicholas Lloyd - Permanent Joint Headquarters of the MoD

As CIO for the Permanent Joint Headquarters of the Ministry of Defence, Nicholas Lloyd is responsible for the IT behind every overseas military operation. His cyber security strategy has to address the varied threats from both terrorist groups and nation-states in 52 locations across Europe, Africa, the Middle East and Asia.

"You're not going to necessarily see zero-day exploits being used directly by states unless there's a specific high reward for what they're going to use those for, because once they've used it, the awareness of it means you lose that first move advantage. And then of course it's out there and might well be used against you as well," Lloyd told CIO UK.

"Typically speaking, I think on a day-to-day basis we will see the same range of tools, techniques and procedures used against us as you would find in say the financial industry. But we have to obviously be prepared for threats beyond those as well."

His two core principles of defence are collaborating with other departments and allies, and creating a strong security culture and strategy around the use of information. All MoD information is thoroughly classified, with details given on the potential impact of it falling into the wrong hands and on how to respond should that happen.

"There's an element here that's a little bit like swimming with sharks," Lloyd said. "If you swim with sharks you might well get bitten but probably your first priority is to be a better swimmer than the person next to you."

Read next:  CIO for UK military operations overseas discusses global cyber threats

Richard Orme - Photobox Group

Richard Orme - Photobox Group

Richard Orme, CTO of the Photobox Group (Photobox, Moonpig, Hofmann, posterXXL), discussed with CIO UK the cybersecurity pressures involved when handling the billions of photos uploaded by their customers.

"Consumer trust is at the heart of everything that we do," said Orme. "Our customers upload extremely dear and precious memories to us, so we are always looking to improve the way that we work in a security context."

At the Photobox Group, the Chief Information Security Officer (CISO) position is regarded as a pivotal role. "We went out and hired a guy called Dinis Cruz, who's our CISO, who is an active member in the security community right now," said Orme. "He hosts a lot of meetups, he's regarded as a thought leader in this space. We sort of gave him a blank piece of paper, and said, "Okay. If you were going to take a look of everything we do, how should we rethink the way we do security?"

Orme discussed how changing attitudes towards cybersecurity is a company-wide exercise. "It's not so much a question of what tools can we buy to help us? It's how do we change as an organisation? How do we change our culture?"

"That's where Dinis, our CISO, has been very strong," said Orme. "He'll sit with the engineering teams and educate them, and he'll create challenges for them. He'll commit code with them. So he really talks their language, and they respond to that massively. Instead of seeing security as something that they have to do, they now see it as an interesting problem to solve. Like with any engineering team, if you can give them a problem to solve, then they're at their happiest."

Orme said that while cybersecurity was previously something to be checked off a list at the end of the development process, this approach has changed. "We now bring those ideas and that thought process in right at the very beginning of our product development lifecycle," he said. "So customer security concerns are baked into every piece of software engineering that we do from the off. All of our datasets are encrypted. We are encrypting data at rest and in motion. We've worked with a number of different suppliers in the market, so we now actually have another couple of AI-driven devices that are continually scanning our networks."

Mark Stanton - Dudley Group NHS Foundation Trust

Mark Stanton - Dudley Group NHS Foundation Trust

Dudley Group NHS Foundation Trust CIO Mark Stanton is helping to make the NHS more digital by implementing an electronic patient records system.

To keep the paperless system secure, the organisation has recruited an information governance manager of cyber security, but Stanton believes the most important aspect of cyber security is improving staff awareness.

"Around cybersecurity, we are putting good practices into IT and investing in technology to help protect us but clearly, the weakest link is always going to the workforce," Stanton told CIO UK.

"As part of the mandatory training, there is an IT security module which staff members have to undertake annually so there has been a lot of mystery shopper type activities where we have been creating and testing our own viruses. We are sending out emails to our staff with fake viruses and seeing who have clicked on those links.

"We are also running poster and intranet campaigns where we are very much engaged with the workforce at large in terms of getting them to understand it. The media has done a good job for the NHS and the WannaCry scandal because it has hit mainstream news and brought it to everyone's attention so now we quite often get staff telling us their worries around cybersecurity."

Elena Kvochko - Barclays
© Barclays

Elena Kvochko - Barclays

Barclays Group Security Function CIO Elena Kvochko taking a holistic and data-driven approach to security.

"Barclays became the first global financial institution to focus on holistic security which redefines conventional approaches to cybersecurity and comprises cyber and physical security, as well as intelligence, investigations, and resilience," she told CIO UK.

"An integrated security function covers the business environment and allows more visibility into normal and abnormal activities.

"It adapts security strategy to the current digital environment in order to bring innovation to the next level in the safest way possible and promote the benefits of secure business to all our clients, employees, and stakeholders. 'Security by design' has become a core part of the processes at Barclays."

Read next: Big Data analytics for security - Barclays Group Security Function CIO Elena Kvochko on taking a holistic data-driven approach to cyber security

Mark Holt - Trainline
© Trainline

Mark Holt - Trainline

Trainline CTO Mark Holt puts security at the forefront of everything the rail ticket platform does, from adding new features to the app to developing long-term strategy.

"I care about three things in this order: security, reliability and new functionality," Holt told CIO UK. "So if you create some wonderful new functionality but it's not secure it's not going out of the door, and interestingly my direct reports are to director of security, reliability and a director of engineering.

"What we do is try and bake security in from the very outset when we're thinking about it, so all of our developers go through security training and we get the security teams involved when we're initially thinking about new ideas, and we try to make it part of the day-to-day strategy."Holt believes that many organisations don’t concentrate on security until the end of the development process.

Trainline embeds security in every aspect of its work and is beefing up its data protection practices in preparation for GDPR.

"We do obsess about it and keep an eye on it. I'm a big fan of GDPR and I think organisations should already be working in that way," said Holt.

"If you don't already care to the level that GDPR requires you to about your customers' privacy then there's something wrong."

Mieke Kooij - Trainline
© Trainline

Mieke Kooij - Trainline

Trainline Security Director Mieke Kooij focuses on both the technical and cultural aspects of security.

"Security is about creating a culture where information and systems are protected by shifting how people interact with them," she told CIO UK.

"Where possible we use technology and automation to do this, but ultimately, it's about gaining consumer trust, winning hearts and minds and changing behaviour."

Trainline is a big and busy business. The ticket retailer sells more than 100 tickets a minute, and the website receives more 45 million visits per month.

Kooij believes it's vital that she is well-informed about all aspects of the company to maintain security and privacy for both the business and its customers.

"To do this, I need to work closely with all areas of the business," she said. "It's easy to get drawn into the day-to-day complexities of our technologies and processes, but I need to stay focused on the bigger picture."

Agile working practices help Trainline quickly adopt and adapt as new technologies and threats emerge.

Kooij adds that maintaining a solid understanding of the data under Trainline's control helps build security and privacy into the company's infrastructure and applications, and concentrate on early detection and response.

"I'm sure there is many a CIO jumping up and down about beefing up their incident response in the wake of the recent wave of malware attacks, but if they aren't also asking if they fully know the data they have, the state of their systems and whether they have controls to detect something going wrong, then they are doing their company a disservice."

David Jones - AEG

David Jones - AEG

Cyber security has risen up the agenda at Anschutz Entertainment Group. David Jones Vice President of IT in Europe David Jones at the sports and entertainment conglomerate, believes that as AEG increased its scale it had sometimes struggled to keep up cyber security best practices.

"From an information security point of view, I think partly because we're a private company and partly because we've grown rapidly, we probably didn't have some of the more enterprise things that a business of our size should have had in place," Jones told CIO UK.

"We had a new CIO join the global organisation a year ago and he identified quite quickly that there was a gap in our operation that we didn't have any real resource in information security. Also at the same time we were identifying this as a potential challenge as well.

"We're quite a lean business, so to have invested in information security is a clear sign that everyone really takes it seriously."

Jones added that the new information security director and team he has appointed was providing a health check to ensure the company was following best practices and helping to develop high-level policies, procedures and strategic business security elements.

Bharat Mistry - Trend Micro

Bharat Mistry - Trend Micro

Trend Micro security strategist Bharat Mistry believes that hiring a CISO is the safest way to develop a security strategy that keeps systems and data protected.

CIO UKresearch suggests his view is becoming more common.  The 2017 CIO 100 revealed that 70% of organisations had a security leader reporting into the CIO function.

"Increasingly when a company is breached the pain is felt in the boardroom as organisations are often hit with huge fines, reputational damage and even lawsuits," Mistry told CIO UK.

"This change is leaving executives very concerned; they want assurances that systems are fully secure and they are fully compliant against the regulations they face. Hence as indicated by the research we are now starting to see more CISOs being employed by organisations".

Read next: Chief Information Security Officer salary and job description

Copyright © 2019 IDG Communications, Inc.

Related Slideshows