A Pragmatic Approach for Securing Enterprise Data and Applications
- Details
More than a dozen senior IT executives representing financial services, manufacturing, healthcare, retail, and commercial business gathered in Toronto to discuss their experiences with Securing Data and Applications. The event was produced by The IT Media Group and was sponsored by Hewlett Packard Enterprise. The dialogue yielded a notable set of common issues that spans industries. This article will describe the key security challenges facing IT executives, what companies are doing to solve them, and a practical approach for enhancing your security framework.
Security is an impossible challenge to solve
After listening to the conversations, it became apparent that it was not possible to completely secure data and applications. IT executives don’t have the budgets, resources, and time to address the myriad of security issues. The following challenges expose the magnitude of the problem that companies face:
-
The Internet of Things: The proliferation of mobile and connected devices has created a seemingly insurmountable set of variables that need to be secured and monitored. The increasing storage capacity and power of these devices also means that business critical data and applications are being distributed beyond the reach of a secure data center. This challenge is made more severe as employees use their own devices for work related activities.
-
The cloud: Like mobile devices, both applications and data are inevitably moving to a distributed and potentially shared infrastructure. The ability to leverage cloud services can be performed by lines of business without engaging the traditional IT department, thus making end-to-end security difficult to govern. For cloud applications that are developed by IT, the varied and rapidly evolving programming standards make it more difficult to ensure that data is secure.
-
Humans: Human beings are necessary for business, but are also the weakest link in the security framework. Employees assume that everything they do is secure; don’t understand the impact of a lost device; are loathe to use complex passwords; and are susceptible to clicking on malicious links.
-
The Board: Boards are obsessed with security, especially in light of a number of highly public breaches. A security incident can have catastrophic impacts to a company’s business, so boards are mandating that their IT departments protect their digital assets. CIO’s need to balance the expectations of the board with the cost/benefits of their security initiatives.
Beleaguered IT executives are already trying to win talent wars and deliver on digital transformation. Solving security challenges is yet another costly activity that must be prioritized. Participants described some tactics being used within their organizations:
-
Perform audits and external assessments of the environment and set a security threshold that is acceptable for their industry. Boards want top level security, but most organizations don’t need this level and cannot afford the costs.
-
Mandatory security training and awareness via campaigns and continuous learning. These can also include manager and employee surveys to assess security readiness. Work with end-users to understand ramifications of losing data and identify what would happen if that data is exposed.
-
Automate security controls whenever possible to reduce the human vulnerability factor. These controls can include password management, device encryption, and limits on the use of external media.
-
Define and implement security standards for mobile and cloud based applications. Attempt to regain limited governance of shadow IT to ensure that standards are adhered to. This also includes the assessment of new applications to determine what controls need to be layered on top of them.
-
Instrument the environment to detect and manage security breaches. Monitor types, frequency, and impacts of incidents and build a framework that can take rapid corrective action. Monitor what the competition is doing. Probing and testing of the environment can also be performed to identify security vulnerabilities and lapses.
Unfortunately, these tactics only begin to address the size and complexity of securing data and applications. There are many areas where companies are exposed and further discussion is required in order to explore them in detail.
Participants left with the understanding that a silver bullet to solve their security dilemmas does not exist. IT executives must be prepared to roll up their sleeves to tackle their many security challenges. As a result, I offer the following tactical approach to augment your corporate security agenda:
-
Formalize your security governance framework by naming a Security Officer and creating an organization whose mandate is to make data security a priority of both IT and lines of business. This will require a budget that must be forecasted, managed, and accounted for in your cost of delivery.
-
Realize that no vendor does it all. Pick one to partner with and to perform an external security assessment that creates a baseline with your competition. Recognize that it is in the best interests of the IT vendor to find vulnerabilities and to sell you their products and services. Your team will need the experience and acumen to work with vendors to optimize and sustain your security investments, otherwise you may find yourself in an ever increasing money pit.
-
For big head-aches, be prepared to outsource to vendors who are experts in a particular domain. If you go this route, ensure that the vendor is contractually bound to certify and pass audits of their solutions. Manage and control your vendor costs by implementing effective oversight and governance.
It is difficult to control the rapidly rising costs of security in a world where data and applications are continuously created and transformed. It is also an area that, if neglected, can lead to disaster for your business, customers, and your career. My intent was to provide enough context for you to grasp the fundamental data and application security challenges that your organization faces. It is my hope that the tactics and practical approach will help you to address those challenges in an efficient way.
Jeff Ishii is a senior technology executive with a wealth of experience in management consulting, services delivery and operations at Fortune 500 companies.
Past Attendees
ADP - VP Architecture & Infrastructure
AESO - VP, Information Technology
Agnico Eagle Mines - VP, IT
Agrium - Global Mgr., IT Security
Agrium - Senior Director IT Shared Services
Aimia - SVP & Global CIO
Ainsworth Engineered - Director IT
Air Canada Vacations - Director IT
Alberta Energy Regulator - Director, Office of the CIO
Anthem Properties - VP IS
AON Risk Solutions Canada - Head of IT
Avison Young - VP Global Enterprise Architecture & Integration
Aviva Canada - VP, Architecture & Strategy
Bank of America Merrill Lynch - CTO
BC Ferry Services - VP & CIO
Bell Business Markets - Director, Strategy & Planning
Bell Canada - National Director, Digital Transformation
Bellatrix Exploration - Director, Information Technology
Bentall Kennedy - VP IT
BFL CANADA - CIO
BFL CANADA - Director, Cybersecurity & IT Risk Management
Black Press - CTO
BlackBerry - VP Corporate IT
BMO Financial Group - Director, Technology & Operations Transformation
BMO Financial Group - Head of Services Delivery
Bombardier Aerospace - CISO
Bonavista Petroleum - Head of IT
Borden Ladner Gervais LLP - Global CIO
Bow Valley College - Director, IT Services
Bridgewater Bank - Head of IT
BuildDirect - VP IT
Bulk Barn - Head, IT
Burnco - CIO
Caisse de Depot et Placement du Quebec - VP, IT Planning, Architecture, Governance, Operations
Calfrac Well Services - Head of IT
Canada Goose - CTO
Canada Live - VP of Technology
Canada Mortgage and Housing - VP, Information & Technology
Canada Protection Plan - Head of IT
Canadian Depository for Securities - CIO
Canadian Direct Insurance - CTO
Canadian Payments Association - VP & CIO
Canucks Sports - Head of IT
Capgemini - Service Delivery Director
CAPREIT - CIO
Cardel Homes - VP MIS
Cargojet - CIO
CBI Health Group - CIO
CCS Corp. - VP IT
CDSPI - Board Director
Centerra Gold - Director IT & Comm
CI Global Asset Management - VP of Enterprise Infrastructure $amp; Operations
CIBC - Senior Director, Infrastructure Planning & Engineering
CIBC - SVP & CIO, Retail and Business Banking Technology
CIBC Mellon - AVP, Enterprise Architecture
CIBC Mellon - SVP & CIO
Cineplex Entertainment - CTO
City of Brampton - Senior Manager, IT Architecture & Planning
City of Richmond Hill - CIO
City of Toronto - Director of Strategic Planning & Architecture
CN Rail Service - Chief Information Security Officer
Coast Capital Savings - VP Technology
Colliers - Head of Technology & Data
Concordia University - AVP & CIO
Crescent Point Energy - Head of IT
Dairy Farmers of Ontario - Head of IT and Administration
Dale Parizeau Morris Mackenzie - VP, IT
Davies Ward Phillips & Vineberg LLP - Director, Information Technology
DealerTrack Canada - Director, Technology
Defence Construction Canada - Corporate Manager, IT
Deloitte - Director, Risk Advisory
Dentons - Canada CIO
Devon Energy - Director, Integrated Business Services
Direct Cash - VP IT & Security
Dynamic Tire Corp - CIO
D+H Partnership - VP, Head of Canadian Mortgage Technology
eHealth - EVP, Technology
eHealth Ontario - VP, IT Systems & Services
Encana - Director, InfoSec
Enbridge Inc. - VP, Technology and Information Services
Enerflex - CIO
Enerplus - VP. IS
ENMAX - VP, IT & PMO
Equitable Bank - CIO
Equitable Bank - CISO
Equity Financial Trust - VP, IT
Essential Energy Services - Director, IT
Expedia Cruise Ship Centers - VP IS
FGL Sports - VP, Information Technology
Finastra - SVP, Head Technology Managed Services
Fix Auto Canada - COO & SVP
Flightnetwork.com - CIO
Freedom Mobile - Head, Customer Applications, Experience, & Strategy
FT Services - CIO
FundServ - CIO
Genus Capital Management - CTO
Genworth Financial Inc. - VP IT
Geotab - Board Member
Golder Associates - CTO
Gran Tierra Energy - Director IT
Grant Thornton LLP - CIO
Grand River Hospital - Director, Data Governance & Analytics
Greenwin Inc - VP, Information Technology
Groupe Dynamite - Director, IT
GSK Canada - IT Director
GTAA - Acting CIO
H&R Block Canada - VP IT
Haventree Bank - VP, Technology
Hewitt Equipment Ltd. - VP & CIO
Hitachi Vantara - GVP & Global CTO
Home Trust Company - CIO
Home Trust Company - CTO
Home Trust Company - VP & CISO
Horizon North Logistics - CIO
HSB Canada - VP IT
IBM Canada - Associate Partner, Payments Industry
Indigo Books and Music - CIO
Interac Corp - Director, Platform Engineering
ivari - SVP & CIO
JP Morgan Chase Canada - Executive Director, Information Risk Management
Keyera Energy - Director, Information Technology
KFC Canada - CTO
KnowledgeOne - CIO
LaFarge Canada - Director, IT
Landmark Cinemas Canada - VP, IT
LAWPRO - CIO
LCBO - Director, Applications Systems
LCBO - SVP & CIO
Leisureworld Senior Care Corp - VP IS
Lifeguard Digital Health - Chief Security & Informatics Officer
Loblaw Companies Ltd - Senior Director, Customer Engagement Technology
London Drugs - GM IT
Loto-Quebec - Corporate Director, InfoSec
Magna International Inc - VP & Global Leader, IT (CIO)
Manulife - Global Head of Private Markets & Real Estate Technology
March Networks - VP Professional Services & CIO
MaRS Discovery District - Managing Director, Fintech and Commerce
McCain Foods Limited - Manager InfoSec
McInnis Cement - Director of Information Technology
Medical Pharmacies Group - VP, Information Technology
MEG Energy - Manager, Information Technology Solutions & Services
Metrolinx - EVP & CIO
Minto Group - VP IT
MMM Group - CIO
Montreal Police Service - CIO
Morguard Investments - CIO
Moulding & Millwork - CIO
MullenLowe Group - Global CIO
National Bank of Canada - Information Security Officer
National Capital Commission - Chief, IT infrastructure & Support Services
NHL Players' Association - Head, Security & Technology
Northbridge Financial Corp - CIO
OEC Group Canada - Vice President, Information Technology and Client solutions
ODAIA - CEO
Oildex - VP, Architecture & Infrastructure
OPTrust - AVP, Enterprise Data Services
Olympia Financial Group - CIO
OMERS - EVP, Data & Technology
OMERS - SVP IT
OMERS - SVP, Data & Advanced Analytics
Ontario Pension Board - CTO
Ontario Teachers' Pension Plan - SVP, Product & Delivery
Ontario Trillium Foundation - CIO
Osum Oil Sands Corp - Manager, IS
Ottawa Police Service - CIO
Pacific Western Transportation - CIO
Packers Plus - Global IT Director
Pason Systems - Manager, Digital Communications & Corporate IT
Patient News - CTO
Peel District School Board - CIO
Pengrowth Corp - Director IS
Penn West Exploration - Snr. Manager, IT Operations
Peterson Investment Group - Head of IT
PFB Corp. - CIO
Pizza Pizza - CIO & VP, IT
Precision Drilling - VP, IT
Precision Drilling - Director, IT Infrastructure & Security
PSP Investments - Snr. Director, Internal Audit & Business Infosec
Public Works and Government Services Canada - Director, IT Security Directorate
PwC - Managing Director, Real Estate Technology Advisory
Pythian - CTO
Qantas - Global CIO
Queen's University - Director, Information Technology
RBC Royal Bank - Head of Application Security, Data Protection & Security Consulting
RBC Royal Bank - VP, Technology Platforms & Risk Management
RBC Royal Bank - Global Cybersecurity VP
Regal Lifestyle Communities - CIO
Revera Inc. - CIO
Revera Inc. - Security Architect
Rheem Manufacturing - CISO & Enterprise Architect
Ricoh Canada - VP,IT
RioCan Property Services - VP IT
Roche - Head of IT Americas – Operations
Rogers Communications - SVP, Customer Experience IT
ROM - CIO
Russel Metals - VP,IS
Salvation Army Canada - Board Director
SCI Group - CIO
Scotiabank - Head, Systems Architecture & Platform Modernization
Scotiabank - VP - International Systems Technology
Scotiabank - Head, System Architecture & Platform Modernization
Scotiabank - Global Head, GBM Compliance & Transformation
Sears Canada - Divisional VP, Information Technology Services
Secure Energy Services - GM, IT
Shaw - Head, Customer Applications, Experience, & Strategy
Shaw Communications - VP, Technology Operations
Shaw Communications - Director, Risk Management
SMART Technologies - Director, IS Corporate Services
Smartcentres - Director IS, IT
SmartOne Solutions - President & CIO
Societe de Transport de Montreal - Division Head - Security and Compliance
Street Capital Financial - CIO
Sun Life Financial - AVP, Data & Business Intelligence Services
Sun Life Financial - VP Application Ops & Services
Sunco Communication - COO
Suncor Energy Inc. - Director, Application Portfolio Optimization, I&PM, Business Services
Symcor - CTO, VP Technology Services
Talisman Energy - SVP IT & Business Services
TD Bank - Enterprise Architect
Teknion - SVP, CIO
TELUS - Chief Security Architect
Tervita Corporation - VP, Information Technology
The Hudsons Bay Company - VP Technology
The Hudson's Bay Company - SVP & CIO
The Source - VP, Information Technology
TMX Group - CISO & Global Head of Infrastructure Services
Toromont Industries - VP & CIO
Toronto District School Board - Chief Technology Officer
Toronto Hospital for Sick Children - Director of Technology
Toronto Parking Authority - CIO
Toronto Police Services - CISO
Toronto Transit Commission (TTC) - Chief Enterprise Architect
Toronto Transit Commission (TTC) - CIO
Toyota Canada - National Manager, IS
Transamerica Life Canada - CIO
Trican Well Services Ltd. - Director, Business Information Systems
Tridel Corporation - CIO
Trillium Health Partners - IT Director, Applications & Clinical Informatics
UFA Cooperative - VP & CIO
University of Calgary - Executive Director, Development Services
University of Ottawa - CIO
University of Ottawa - Senior Director IT Services & Infrastructure
University of Toronto - Director, Centre for Management & Technology
University of Waterloo - Director, Technology Entrepreneurship
Valencia Risk - Managing Director
Vancity - VP Technology & Solutions
Viterra - Director Enterprise Technology
Wawanesa Mutual Insurance Company - Director of Innovation Outpost
World Health - Director IT
Wolseley Canada - CIO & COO
WSIB - Board Director
Yellow Pages Group - Director - Enterprise Data Management
York Region District School Board - CIO
York University - Board Director
Leadership Archive
- ► 2024 (12)
- ► 2023 (11)
- ► 2022 (11)
- ► 2021 (28)
- ► 2020 (20)
- ► 2019 (6)
- ► 2018 (5)
- ► 2017 (3)
- ► 2016 (4)
- ► 2015 (8)
- ► 2014 (1)
- ► 2013 (14)
- ► 2012 (11)
- ► 2011 (1)