Roundtable: Securing Information in an Unsecure World
Many pressing issues around enterprise security were discussed in depth at The IT Media Group’s recent Master Series roundtable “Securing Information in an Unsecure World”, held Dec. 6, 2013 in Toronto. Turnout for the event was excellent, with 19 CIOs and CISOs in attendance from a variety of private-sector (e.g., financial services, retail, healthcare, natural resources, real estate) and public-sector (e.g., Govt. of Ontario, healthcare, education) organizations. Sponsor for the event was Symantec Canada.
Here are some of the highlights:
Gaining user buy-in: Organizations are facing multiple challenges when it comes to gaining user buy-in for good security practices. Roundtable members agreed that security measures need to be as invisible as possible to end users; if workflow is impeded, users will often fail to comply with proper security procedures. It was suggested that a back-to-basics approach be taken, with security built in at the beginning of application development, rather than being ‘bolted on’ later, resulting in extra steps on the part of users.
Corporate commitment to security: The emphasis on security can vary greatly from one industry to the next and from one firm to the next. In general, organizations with a focus on financial and personal information, such as retail, financial services, government and healthcare, are rigorous in their security practices and procedures. In some organizations without a strong focus on personal information, business expediency can sometimes trump security practices and procedures. Many organizations are struggling to find a balance between good security and more openness and functionality for customers.
Security and the cloud: Several roundtable members expressed concerns around public cloud offerings such as Dropbox. There is debate in some organizations around whether or not to allow users to access public clouds. In particular, there was a concern about the IT organization’s ability and right to look at what employees are putting into public cloud offerings. As well, there is debate in some organizations around implementing a private cloud rather than opting for public cloud offerings, with the significantly higher cost of a private cloud being weighed against the security concerns associated with public cloud.
Access to security skills: Some organizations are finding it difficult to attract skilled full-time security employees. Cost is an important factor, as skilled security people can make substantial money through contracting – more than many organizations are able to pay them as full-time employees. Some attendees pointed to the fact that academia is failing to turn out adequate numbers of graduates trained in the security skills needed by business. As one attendee said, educational institutions often focus on “the cool stuff”, rather than the practical skills needed by business.
Concerns around future threats: Attendees identified a variety of future threats that they are concerned about, including: the proliferation of mobile device applications with their own encrypted tunnels, preventing the IT organization from seeing inside them and knowing whether or not corporate information is being lost; the possibility of introducing huge risk to the organization through the implementation of public cloud; the threat of what’s next around the corner – is it the next zero day, is it a disgruntled employee, is it BYOD?
Session Highlights Videos
Participants discussed some of the key steps in preparing for, and responding to, an incident.
Dealing with an Internal Security Breach
The greatest danger can be from within the organization.
The Education Gap
Grow internally or hire? Finding qualified information security personnel can be a challenge.
Training for Users
Educated users are an important component of information security.
The Millennium Workforce
The newer generation of employees have a different perspective on privacy and security that may not be easy to accommodate.
Some participants share the insights that resonated with them.
Post session interviews
Sean Forkan - VP & General Manager, Symantec Canada
Mark Keating - CIO, Peel District School Board
Anthony Iannucci - CIO, Toronto Transit Commission
Ranjika Manamperi - CISO, Royal & Sun Alliance
Kent Schramm - Head of Cyber Security Branch, Government of Ontario
The IT Media Group will host a follow-up Masters Series Roundtable on May 16, 2014 in Toronto, this time focusing on the mobile space.
The IT Media Group Masters Series roundtables bring together IT executives from across industries to leverage the experience of peers. Participants gain insights that help them improve operations, avoid difficulties, discover opportunities and make decisions with greater confidence. Attendance is open to senior IT executives by invitation only. To request an invitation, please complete the VIP membership form on the right of this page, including business email address.