Once upon a time, and a long, long time ago it seems now, a computer user began to need a password at work. Without checking, it seems to have been around the time that ATMs appeared and bank customers had to get accustomed to PINs and cards. Most of us understood the necessity, but although your money clearly required precautions, in most organisations protecting access to your work applications seemed a tad OTT. But then at that stage most workers did not have internet access or email, so there was nothing much personal to protect. The concerns of management did not bother most workers and illicit exploration was mostly confined to important matters of curiosity like your peers’ salaries or bonuses. On the other hand, embezzlement is as old as human society so accounts systems were protected to some degree from the earliest days of computing.
But in the office in those old days, the enemy within was a possibility realised by management and the computer people and reasonable precautions taken. But the enemies without had no access to the organisation’s systems, which was only possible through a workstation on the premises. Some midnight burglary stuff might have occurred, but that was generally the stuff of thrillers, print or movie.
“Something like a Cybersecurity Committee could take at least some of the oversight responsibility away from the direct personal duty of the CIO. That could in turn be supplemented by external consultants”
The world today is on 24 x 365 and cyberthreats are global. The targets, victims, mugs or however we categorise them can be individuals, kids, businesses, financial institutions and anywhere there is electronic money — or information that can be turned into money, like people’s credit card information. Which could of course range from high value intellectual property to secret business, political or other plans. For individuals, sexual peccadillos or peculiarities offer blackmail opportunities. Only if they are secret, of course, and not on open Facebook display.
The Internet of Things brings a whole new category of threats, subverting the smart objects we depend on. Could the bad guys turn off inadequately protected security systems, for example, in our homes or warehouses or banks? Could your household robot be taken over and used to let criminals in or even hold you hostage? There have already been successful demonstrations of in-car computer systems being hacked remotely — just brought to a controlled stop, but other potentially fatal consequences are equally possible. Self-driving cars would be obvious targets. Some old ideas could get a new lease of life. Remember The Italian Job? Re-programming the traffic lights in Turin was the basis of the escape plan for those mighty Minis and their cargoes of gold. Imaginable and even more credible today.
Yet another huge area of risk, highlighted on TechCentral.ie last month on foot of a report from the Eurecom research centre, is opened up by flaws in device and appliance firmware. Firmware vulnerability tests were performed on almost 2,000 embedded devices from 54 manufacturers. Serious vulnerabilities were found in 185 devices, just under a tenth of those tested. The tests were automated, so it is more than possible that concentrated expert human hacking might exploit an even higher proportion. Since the devices included routers, VoIP phones, DSL routers and IP cameras, the seriousness of the implications are obvious. A recent white hat hacking exercise took control of a ‘smart’ door entry system with video and bell — which also controlled the lock. So much for smarts.
Perhaps even more troubling is the recently reported incidence of security flaws and vulnerabilities in pre-installed software on personal devices like laptops, tablets and smart phones. There is a distinct suspicion that such flaws have been around for some time but just not discovered. But the very idea that the device you unwrap from factory packaging is already untrustworthy is just terrifying.
So it is a dangerous, cloudy, murky electronic world today… and the CIO is the primary protector. We are still prattling on about the changing role(s) and the potential rise of the CDO and all of that. The only thing that almost everyone agrees on is that the CIO is responsible for the ICT that already exists in the organisation, especially legacy systems and infrastructure, mostly on-premises and potentially on multiple sites in different countries. That most certainly includes security across all applications, systems, devices, channels and everything else. Those IoT thingies will enter the picture soon enough and indeed are already online in smart phones, smart cities, telecoms networks, high tech manufacturing and processing and automated elements of supply chains. To mention but a few.
So the CIO — or the senior ICT technical person whatever the title — is faced with what many would consider the biggest challenge of all even as tech media and conferences debate the theoretical stuff like digital transformation and Chief Digital/Data Officer roles and the like. Security is the rhino in the room.
A number of issues and questions follow. The rise of the Chief Information Security Officer (in truth Chief Security Officer would do fine) is becoming rapid, especially in financial services and online enterprises. Appropriately so, because such businesses are the digital front line. The two basic questions about that role are whether it should be: combined with or report to the CIO or have an independent line of responsibility to the CEO and board; take in the full range of security, from digital to physical equipment and personnel
Anecdotally, it would seem that most CIOs would advocate independence. There is a logic to having the CISO on the CIO team as a specialist expert with a sub-function, because so much of what the job is aimed at securing is digital and inextricably electronic. On the other hand, there is no real debate about the fact that a degree of independence and objectivity could be very important in carrying out the security responsibilities and in setting policies or choosing security systems and resources from software to corporate authentication disciplines. As one of our CIO interviewees discussing the CIO Agenda said, “We could both end up arguing our cases to the CEO or board, but that’s a healthy process that should benefit the organisation.”
On yet another hand, the fact of life is that in smaller organisations — in other words the vast majority in the real world — the CIO or equivalent will carry the cyber-security responsibility by default. The role may just be a line or a paragraph in a contract but it is absolutely real for all that. That much muttered cliché ‘keeping the lights on’ should be extended to ‘…and the data safe’. Perhaps the theoretical and actually quite practical distinction is between the operational side of security and the oversight, governance and audit functions.
Things like sign-on administration, mobile security and secure back-up are all well within the day-by-day CIO and IT department remit. Something like a Cybersecurity Committee (yes, we all hate committees but sometimes they work) could take at least some of the oversight responsibility away from the direct personal duty of the CIO. That could in turn be supplemented by external consultants. The accounts are audited, so why not the security? Some of the security oversight function is inevitably, let’s be honest about it, aimed at being able to present a squeaky clean profile to any inspectors, investigators, auditors — or interested shareholders. Not succumbing to attack is the principal objective but the secondary line of defence is more political — being able to prove that all normal and best practice precautions were taken.
The unwelcome truth is that security has now moved front and centre in the responsibilities of the CIO. Very few will like that and it is probable that many will be slow to give it the priority that it so clearly warrants. Cybersecurity has become a somewhat esoteric area and many ICT leaders will be automatically wary. On the other hand, some of the most interesting and exciting developments in IT are taking place in precisely this field. The application of real-time analytics has lots of possibilities, or the new thinking that accepts perimeters will allow some attacks through and concentrates defences on granular protection of the target assets.
So if security is now high on the job spec, let us embrace it and have some (professional) fun.
Subscribers 0
Fans 0
Followers 0
Followers