HomeSitemap This email address is being protected from spambots. You need JavaScript enabled to view it.

Leadership

Strategies, advice and opinions helping to define and develop the role of IT leaders and their staffs.

A Pragmatic Approach for Securing Enterprise Data and Applications

More than a dozen senior IT executives representing financial services, manufacturing, healthcare, retail, and commercial business gathered in Toronto to discuss their experiences with Securing Data and Applications. The event was produced by The IT Media Group and was sponsored by Hewlett Packard Enterprise.  The dialogue yielded a notable set of common issues that spans industries. This article will describe the key security challenges facing IT executives, what companies are doing to solve them, and a practical approach for enhancing your security framework.

 Security is an impossible challenge to solve

After listening to the conversations, it became apparent that it was not possible to completely secure data and applications. IT executives don’t have the budgets, resources, and time to address the myriad of security issues. The following challenges expose the magnitude of the problem that companies face: 

  • The Internet of Things: The proliferation of mobile and connected devices has created a seemingly insurmountable set of variables that need to be secured and monitored. The increasing storage capacity and power of these devices also means that business critical data and applications are being distributed beyond the reach of a secure data center. This challenge is made more severe as employees use their own devices for work related activities.

  • The cloud: Like mobile devices, both applications and data are inevitably moving to a distributed and potentially shared infrastructure. The ability to leverage cloud services can be performed by lines of business without engaging the traditional IT department, thus making end-to-end security difficult to govern. For cloud applications that are developed by IT, the varied and rapidly evolving programming standards make it more difficult to ensure that data is secure.

  • Humans: Human beings are necessary for business, but are also the weakest link in the security framework. Employees assume that everything they do is secure; don’t understand the impact of a lost device; are loathe to use complex passwords; and are susceptible to clicking on malicious links.

  • The Board: Boards are obsessed with security, especially in light of a number of highly public breaches. A security incident can have catastrophic impacts to a company’s business, so boards are mandating that their IT departments protect their digital assets. CIO’s need to balance the expectations of the board with the cost/benefits of their security initiatives. 

What’s an executive to do?
 

Beleaguered IT executives are already trying to win talent wars and deliver on digital transformation. Solving security challenges is yet another costly activity that must be prioritized. Participants described some tactics being used within their organizations:

  •  Perform audits and external assessments of the environment and set a security threshold that is acceptable for their industry. Boards want top level security, but most organizations don’t need this level and cannot afford the costs.

  • Mandatory security training and awareness via campaigns and continuous learning. These can also include manager and employee surveys to assess security readiness. Work with end-users to understand ramifications of losing data and identify what would happen if that data is exposed.

  • Automate security controls whenever possible to reduce the human vulnerability factor. These controls can include password management, device encryption, and limits on the use of external media.

  • Define and implement security standards for mobile and cloud based applications. Attempt to regain limited governance of shadow IT to ensure that standards are adhered to. This also includes the assessment of new applications to determine what controls need to be layered on top of them.

  • Instrument the environment to detect and manage security breaches. Monitor types, frequency, and impacts of incidents and build a framework that can take rapid corrective action. Monitor what the competition is doing. Probing and testing of the environment can also be performed to identify security vulnerabilities and lapses.

Unfortunately, these tactics only begin to address the size and complexity of securing data and applications. There are many areas where companies are exposed and further discussion is required in order to explore them in detail.

 
A practical approach 

Participants left with the understanding that a silver bullet to solve their security dilemmas does not exist. IT executives must be prepared to roll up their sleeves to tackle their many security challenges. As a result, I offer the following tactical approach to augment your corporate security agenda: 

  • Formalize your security governance framework by naming a Security Officer and creating an organization whose mandate is to make data security a priority of both IT and lines of business. This will require a budget that must be forecasted, managed, and accounted for in your cost of delivery.

  • Realize that no vendor does it all. Pick one to partner with and to perform an external security assessment that creates a baseline with your competition. Recognize that it is in the best interests of the IT vendor to find vulnerabilities and to sell you their products and services. Your team will need the experience and acumen to work with vendors to optimize and sustain your security investments, otherwise you may find yourself in an ever increasing money pit.

  • For big head-aches, be prepared to outsource to vendors who are experts in a particular domain. If you go this route, ensure that the vendor is contractually bound to certify and pass audits of their solutions. Manage and control your vendor costs by implementing effective oversight and governance.

It is difficult to control the rapidly rising costs of security in a world where data and applications are continuously created and transformed. It is also an area that, if neglected, can lead to disaster for your business, customers, and your career. My intent was to provide enough context for you to grasp the fundamental data and application security challenges that your organization faces. It is my hope that the tactics and practical approach will help you to address those challenges in an efficient way.

 

Jeff Ishii is a senior technology executive with a wealth of experience in management consulting, services delivery and operations at Fortune 500 companies.

 

Past Attendees


ADP - VP Architecture & Infrastructure

AESO - VP, Information Technology

Agnico Eagle Mines - VP, IT

Agrium - Global Mgr., IT Security

Agrium - Senior Director IT Shared Services

Aimia - SVP & Global CIO

Ainsworth Engineered - Director IT

Air Canada Vacations - Director IT

Alberta Energy Regulator - Director, Office of the CIO

Anthem Properties - VP IS

AON Risk Solutions Canada - Head of IT

Aviva Canada - VP, Architecture & Strategy

Bank of America Merrill Lynch - CTO

BC Ferry Services - VP & CIO

Bellatrix Exploration - Director, Information Technology

Bentall Kennedy - VP IT

Black Press - CTO

BlackBerry - VP Corporate IT

BMO Financial Group - Head of Services Delivery

Bombardier Aerospace - CISO

Bonavista Petroleum - Head of IT

Borden Ladner Gervais LLP - Global CIO

Bow Valley College - Director, IT Services

Bridgewater Bank - Head of IT

BuildDirect - VP IT

Bulk Barn - Head, IT

Burnco - CIO

Caisse de Depot et Placement du Quebec - VP, IT Planning, Architecture, Governance, Operations

Calfrac Well Services - Head of IT

Canada Mortgage and Housing - VP, Information & Technology

Canadian Depository for Securities - CIO

Canadian Direct Insurance - CTO

Canadian Payments Association - VP & CIO

Canucks Sports - Head of IT

CAPREIT - CIO

Cardel Homes - VP MIS

Cargojet - CIO

CCS Corp. - VP IT

Centerra Gold - Director IT & Comm

CIBC - Senior Director, Infrastructure Planning & Engineering

CIBC - SVP & CIO, Retail and Business Banking Technology

CIBC Mellon - AVP, Enterprise Architecture

CIBC Mellon - SVP & CIO

Cineplex Entertainment - CTO

City of Brampton - Senior Manager, IT Architecture & Planning

City of Toronto - Director of Strategic Planning & Architecture

CN Rail Service - Chief Information Security Officer

Coast Capital Savings - VP Technology

Concordia University - AVP & CIO

Crescent Point Energy - Head of IT

Dairy Farmers of Ontario - Head of IT and Administration

Dale Parizeau Morris Mackenzie - VP, IT

Davies Ward Phillips & Vineberg LLP - Director, Information Technology

DealerTrack Canada - Director, Technology

Defence Construction Canada - Corporate Manager, IT

Dentons - Canada CIO

Devon Energy - Director, Integrated Business Services

Direct Cash - VP IT & Security

Dynamic Tire Corp - CIO

eHealth Ontario - VP, IT Systems & Services

Encana - Director, InfoSec

Enerflex - CIO

Enerplus - VP. IS

ENMAX - VP, IT & PMO

Essential Energy Services - Director, IT

Expedia Cruise Ship Centers - VP IS

FGL Sports - VP, Information Technology

Fix Auto Canada - COO & SVP

Flightnetwork.com - CIO

FT Services - CIO

FundServ - CIO

Genus Capital Management - CTO

Genworth Financial Inc. - VP IT

Golder Associates - CTO

Gran Tierra Energy - Director IT

Grant Thornton LLP - CIO

Greenwin Inc - VP, Information Technology

Groupe Dynamite - Director, IT

GSK Canada - IT Director

GTAA - Acting CIO

H&R Block Canada - VP IT

Hewitt Equipment Ltd. - VP & CIO

Hitachi - CTO, Americas

Home Trust Company - CIO

Home Trust Company - CTO

Home Trust Company - VP & CISO

Horizon North Logistics - CIO

Indigo Books and Music - CIO

ivari - SVP & CIO

JP Morgan Chase Canada - Executive Director, Information Risk Management

Keyera Energy - Director, Information Technology

KnowledgeOne - CIO

LaFarge Canada - Director, IT

Landmark Cinemas Canada - VP, IT

LCBO - Director, Applications Systems

LCBO - SVP & CIO

Leisureworld Senior Care Corp - VP IS

Lightstream Resources - Head, Information Services

London Drugs - GM IT

Loto-Quebec - Corporate Director, InfoSec

Magna International Inc - VP & Global Leader, IT (CIO)

March Networks - VP Professional Services & CIO

McCain Foods Limited - Manager InfoSec

McInnis Cement - Director of Information Technology

Medical Pharmacies Group - VP, Information Technology

MEG Energy - Manager, Information Technology Solutions & Services

MMM Group - CIO

Montreal Police Service - CIO

Morguard Investments - CIO

Moulding & Millwork - CIO

National Bank of Canada - Information Security Officer

National Capital Commission - Chief, IT infrastructure & Support Services

NHL Players' Association - Head, Security & Technology

Northbridge Financial Corp - CIO

OEC Group Canada - Vice President, Information Technology and Client solutions

Oildex - VP, Architecture & Infrastructure

Olympia Financial Group - CIO

OMERS - SVP IT

Ontario Pension Board - CTO

Ontario Trillium Foundation - CIO

Ottawa Police Service - CIO

Pacific Western Transportation - CIO

Packers Plus - Global IT Director

Patient News - CTO

Peel District School Board - CIO

Pengrowth Corp - Director IS

Penn West Exploration - Snr. Manager, IT Operations

Peterson Investment Group - Head of IT

PFB Corp. - CIO

Pizza Pizza - CIO & VP, IT

Precision Drilling - VP, IT

Precision Drilling - Director, IT Infrastructure & Security

PSP Investments - Snr. Director, Internal Audit & Business Infosec

Public Works and Government Services Canada - Director, IT Security Directorate

PwC - Managing Director, Real Estate Technology Advisory

Qantas - Global CIO

Queen's University - Director, Information Technology

RBC Royal Bank - Head of Application Security, Data Protection & Security Consulting

Regal Lifestyle Communities - CIO

Revera Inc. - CIO

Revera Inc. - Security Architect

Ricoh Canada - VP,IT

RioCan Property Services - VP IT

Rogers Communications - SVP, Customer Experience IT

ROM - CIO

Russel Metals - VP,IS

Scotiabank - VP - International Systems Technology

Scotiabank - Director, Architecture & Engineering

Sears Canada - Divisional VP, Information Technology Services

Secure Energy Services - GM, IT

Shaw Communications - VP, Technology Operations

Shaw Communications - Director, Risk Management

SMART Technologies - Director, IS Corporate Services

Smartcentres - Director IS, IT

Societe de Transport de Montreal - Division Head - Security and Compliance

Street Capital Financial - CIO

Sun Life Financial - AVP, Data & Business Intelligence Services

Sun Life Financial - VP Application Ops & Services

Suncor Energy Inc. - Director, Application Portfolio Optimization, I&PM, Business Services

Symcor - CTO, VP Technology Services

Talisman Energy - SVP IT & Business Services

TD Bank - Enterprise Architect

Teknion - SVP, CIO

TELUS - Chief Security Architect

Tervita Corporation - VP, Information Technology

The Hudsons Bay Company - VP Technology

The Hudson's Bay Company - SVP & CIO

The Source - VP, Information Technology

TMX Group - VP, CISO

Toromont Industries - VP & CIO

Toronto District School Board - Chief Technology Officer

Toronto Hospital for Sick Children - Director of Technology

Toronto Transit Commission (TTC) - Chief Enterprise Architect

Toronto Transit Commission (TTC) - CIO

Toyota Canada - National Manager, IS

Transamerica Life Canada - CIO

Trican Well Services Ltd. - Director, Business Information Systems

Tridel Corporation - CIO

Trillium Health Partners - IT Director, Applications & Clinical Informatics

UFA Cooperative - VP & CIO

University of Calgary - Executive Director, Development Services

University of Ottawa - CIO

University of Ottawa - Senior Director IT Services & Infrastructure

University of Waterloo - Director, Technology Entrepreneurship

Vancity - VP Technology & Solutions

Viterra - Director Enterprise Technology

World Health - Director IT

Wolseley Canada - CIO & COO

Yellow Pages Group - Director - Enterprise Data Management

York Region District School Board - CIO

Leadership Archive