HomeSitemap This email address is being protected from spambots. You need JavaScript enabled to view it.

Leadership

Strategies, advice and opinions helping to define and develop the role of IT leaders and their staffs.

A Pragmatic Approach for Securing Enterprise Data and Applications

More than a dozen senior IT executives representing financial services, manufacturing, healthcare, retail, and commercial business gathered in Toronto to discuss their experiences with Securing Data and Applications. The event was produced by The IT Media Group and was sponsored by Hewlett Packard Enterprise.  The dialogue yielded a notable set of common issues that spans industries. This article will describe the key security challenges facing IT executives, what companies are doing to solve them, and a practical approach for enhancing your security framework.

 Security is an impossible challenge to solve

After listening to the conversations, it became apparent that it was not possible to completely secure data and applications. IT executives don’t have the budgets, resources, and time to address the myriad of security issues. The following challenges expose the magnitude of the problem that companies face: 

  • The Internet of Things: The proliferation of mobile and connected devices has created a seemingly insurmountable set of variables that need to be secured and monitored. The increasing storage capacity and power of these devices also means that business critical data and applications are being distributed beyond the reach of a secure data center. This challenge is made more severe as employees use their own devices for work related activities.

  • The cloud: Like mobile devices, both applications and data are inevitably moving to a distributed and potentially shared infrastructure. The ability to leverage cloud services can be performed by lines of business without engaging the traditional IT department, thus making end-to-end security difficult to govern. For cloud applications that are developed by IT, the varied and rapidly evolving programming standards make it more difficult to ensure that data is secure.

  • Humans: Human beings are necessary for business, but are also the weakest link in the security framework. Employees assume that everything they do is secure; don’t understand the impact of a lost device; are loathe to use complex passwords; and are susceptible to clicking on malicious links.

  • The Board: Boards are obsessed with security, especially in light of a number of highly public breaches. A security incident can have catastrophic impacts to a company’s business, so boards are mandating that their IT departments protect their digital assets. CIO’s need to balance the expectations of the board with the cost/benefits of their security initiatives. 

What’s an executive to do?
 

Beleaguered IT executives are already trying to win talent wars and deliver on digital transformation. Solving security challenges is yet another costly activity that must be prioritized. Participants described some tactics being used within their organizations:

  •  Perform audits and external assessments of the environment and set a security threshold that is acceptable for their industry. Boards want top level security, but most organizations don’t need this level and cannot afford the costs.

  • Mandatory security training and awareness via campaigns and continuous learning. These can also include manager and employee surveys to assess security readiness. Work with end-users to understand ramifications of losing data and identify what would happen if that data is exposed.

  • Automate security controls whenever possible to reduce the human vulnerability factor. These controls can include password management, device encryption, and limits on the use of external media.

  • Define and implement security standards for mobile and cloud based applications. Attempt to regain limited governance of shadow IT to ensure that standards are adhered to. This also includes the assessment of new applications to determine what controls need to be layered on top of them.

  • Instrument the environment to detect and manage security breaches. Monitor types, frequency, and impacts of incidents and build a framework that can take rapid corrective action. Monitor what the competition is doing. Probing and testing of the environment can also be performed to identify security vulnerabilities and lapses.

Unfortunately, these tactics only begin to address the size and complexity of securing data and applications. There are many areas where companies are exposed and further discussion is required in order to explore them in detail.

 
A practical approach 

Participants left with the understanding that a silver bullet to solve their security dilemmas does not exist. IT executives must be prepared to roll up their sleeves to tackle their many security challenges. As a result, I offer the following tactical approach to augment your corporate security agenda: 

  • Formalize your security governance framework by naming a Security Officer and creating an organization whose mandate is to make data security a priority of both IT and lines of business. This will require a budget that must be forecasted, managed, and accounted for in your cost of delivery.

  • Realize that no vendor does it all. Pick one to partner with and to perform an external security assessment that creates a baseline with your competition. Recognize that it is in the best interests of the IT vendor to find vulnerabilities and to sell you their products and services. Your team will need the experience and acumen to work with vendors to optimize and sustain your security investments, otherwise you may find yourself in an ever increasing money pit.

  • For big head-aches, be prepared to outsource to vendors who are experts in a particular domain. If you go this route, ensure that the vendor is contractually bound to certify and pass audits of their solutions. Manage and control your vendor costs by implementing effective oversight and governance.

It is difficult to control the rapidly rising costs of security in a world where data and applications are continuously created and transformed. It is also an area that, if neglected, can lead to disaster for your business, customers, and your career. My intent was to provide enough context for you to grasp the fundamental data and application security challenges that your organization faces. It is my hope that the tactics and practical approach will help you to address those challenges in an efficient way.

 

Jeff Ishii is a senior technology executive with a wealth of experience in management consulting, services delivery and operations at Fortune 500 companies.

Past Attendees


ADP - VP Architecture & Infrastructure

AESO - VP, Information Technology

Agnico Eagle Mines - VP, IT

Agrium - Global Mgr., IT Security

Agrium - Senior Director IT Shared Services

Aimia - SVP & Global CIO

Ainsworth Engineered - Director IT

Air Canada Vacations - Director IT

Alberta Energy Regulator - Director, Office of the CIO

Anthem Properties - VP IS

AON Risk Solutions Canada - Head of IT

Avison Young - VP Global Enterprise Architecture & Integration

Aviva Canada - VP, Architecture & Strategy

Bank of America Merrill Lynch - CTO

BC Ferry Services - VP & CIO

Bell Business Markets - Director, Strategy & Planning

Bell Canada - National Director, Digital Transformation

Bellatrix Exploration - Director, Information Technology

Bentall Kennedy - VP IT

BFL CANADA - CIO

BFL CANADA - Director, Cybersecurity & IT Risk Management

Black Press - CTO

BlackBerry - VP Corporate IT

BMO Financial Group - Director, Technology & Operations Transformation

BMO Financial Group - Head of Services Delivery

Bombardier Aerospace - CISO

Bonavista Petroleum - Head of IT

Borden Ladner Gervais LLP - Global CIO

Bow Valley College - Director, IT Services

Bridgewater Bank - Head of IT

BuildDirect - VP IT

Bulk Barn - Head, IT

Burnco - CIO

Caisse de Depot et Placement du Quebec - VP, IT Planning, Architecture, Governance, Operations

Calfrac Well Services - Head of IT

Canada Goose - CTO

Canada Live - VP of Technology

Canada Mortgage and Housing - VP, Information & Technology

Canada Protection Plan - Head of IT

Canadian Depository for Securities - CIO

Canadian Direct Insurance - CTO

Canadian Payments Association - VP & CIO

Canucks Sports - Head of IT

Capgemini - Service Delivery Director

CAPREIT - CIO

Cardel Homes - VP MIS

Cargojet - CIO

CBI Health Group - CIO

CCS Corp. - VP IT

CDSPI - Board Director

Centerra Gold - Director IT & Comm

CI Global Asset Management - VP of Enterprise Infrastructure $amp; Operations

CIBC - Senior Director, Infrastructure Planning & Engineering

CIBC - SVP & CIO, Retail and Business Banking Technology

CIBC Mellon - AVP, Enterprise Architecture

CIBC Mellon - SVP & CIO

Cineplex Entertainment - CTO

City of Brampton - Senior Manager, IT Architecture & Planning

City of Richmond Hill - CIO

City of Toronto - Director of Strategic Planning & Architecture

CN Rail Service - Chief Information Security Officer

Coast Capital Savings - VP Technology

Colliers - Head of Technology & Data

Concordia University - AVP & CIO

Crescent Point Energy - Head of IT

Dairy Farmers of Ontario - Head of IT and Administration

Dale Parizeau Morris Mackenzie - VP, IT

Davies Ward Phillips & Vineberg LLP - Director, Information Technology

DealerTrack Canada - Director, Technology

Defence Construction Canada - Corporate Manager, IT

Deloitte - Director, Risk Advisory

Dentons - Canada CIO

Devon Energy - Director, Integrated Business Services

Direct Cash - VP IT & Security

Dynamic Tire Corp - CIO

D+H Partnership - VP, Head of Canadian Mortgage Technology

eHealth - EVP, Technology

eHealth Ontario - VP, IT Systems & Services

Encana - Director, InfoSec

Enbridge Inc. - VP, Technology and Information Services

Enerflex - CIO

Enerplus - VP. IS

ENMAX - VP, IT & PMO

Equitable Bank - CIO

Equitable Bank - CISO

Equity Financial Trust - VP, IT

Essential Energy Services - Director, IT

Expedia Cruise Ship Centers - VP IS

FGL Sports - VP, Information Technology

Finastra - SVP, Head Technology Managed Services

Fix Auto Canada - COO & SVP

Flightnetwork.com - CIO

Freedom Mobile - Head, Customer Applications, Experience, & Strategy

FT Services - CIO

FundServ - CIO

Genus Capital Management - CTO

Genworth Financial Inc. - VP IT

Geotab - Board Member

Golder Associates - CTO

Gran Tierra Energy - Director IT

Grant Thornton LLP - CIO

Grand River Hospital - Director, Data Governance & Analytics

Greenwin Inc - VP, Information Technology

Groupe Dynamite - Director, IT

GSK Canada - IT Director

GTAA - Acting CIO

H&R Block Canada - VP IT

Haventree Bank - VP, Technology

Hewitt Equipment Ltd. - VP & CIO

Hitachi Vantara - GVP & Global CTO

Home Trust Company - CIO

Home Trust Company - CTO

Home Trust Company - VP & CISO

Horizon North Logistics - CIO

HSB Canada - VP IT

IBM Canada - Associate Partner, Payments Industry

Indigo Books and Music - CIO

Interac Corp - Director, Platform Engineering

ivari - SVP & CIO

JP Morgan Chase Canada - Executive Director, Information Risk Management

Keyera Energy - Director, Information Technology

KFC Canada - CTO

KnowledgeOne - CIO

LaFarge Canada - Director, IT

Landmark Cinemas Canada - VP, IT

LAWPRO - CIO

LCBO - Director, Applications Systems

LCBO - SVP & CIO

Leisureworld Senior Care Corp - VP IS

Lifeguard Digital Health - Chief Security & Informatics Officer

Loblaw Companies Ltd - Senior Director, Customer Engagement Technology

London Drugs - GM IT

Loto-Quebec - Corporate Director, InfoSec

Magna International Inc - VP & Global Leader, IT (CIO)

Manulife - Global Head of Private Markets & Real Estate Technology

March Networks - VP Professional Services & CIO

MaRS Discovery District - Managing Director, Fintech and Commerce

McCain Foods Limited - Manager InfoSec

McInnis Cement - Director of Information Technology

Medical Pharmacies Group - VP, Information Technology

MEG Energy - Manager, Information Technology Solutions & Services

Metrolinx - EVP & CIO

Minto Group - VP IT

MMM Group - CIO

Montreal Police Service - CIO

Morguard Investments - CIO

Moulding & Millwork - CIO

MullenLowe Group - Global CIO

National Bank of Canada - Information Security Officer

National Capital Commission - Chief, IT infrastructure & Support Services

NHL Players' Association - Head, Security & Technology

Northbridge Financial Corp - CIO

OEC Group Canada - Vice President, Information Technology and Client solutions

ODAIA - CEO

Oildex - VP, Architecture & Infrastructure

OPTrust - AVP, Enterprise Data Services

Olympia Financial Group - CIO

OMERS - EVP, Data & Technology

OMERS - SVP IT

OMERS - SVP, Data & Advanced Analytics

Ontario Pension Board - CTO

Ontario Teachers' Pension Plan - SVP, Product & Delivery

Ontario Trillium Foundation - CIO

Osum Oil Sands Corp - Manager, IS

Ottawa Police Service - CIO

Pacific Western Transportation - CIO

Packers Plus - Global IT Director

Pason Systems - Manager, Digital Communications & Corporate IT

Patient News - CTO

Peel District School Board - CIO

Pengrowth Corp - Director IS

Penn West Exploration - Snr. Manager, IT Operations

Peterson Investment Group - Head of IT

PFB Corp. - CIO

Pizza Pizza - CIO & VP, IT

Precision Drilling - VP, IT

Precision Drilling - Director, IT Infrastructure & Security

PSP Investments - Snr. Director, Internal Audit & Business Infosec

Public Works and Government Services Canada - Director, IT Security Directorate

PwC - Managing Director, Real Estate Technology Advisory

Pythian - CTO

Qantas - Global CIO

Queen's University - Director, Information Technology

RBC Royal Bank - Head of Application Security, Data Protection & Security Consulting

RBC Royal Bank - VP, Technology Platforms & Risk Management

RBC Royal Bank - Global Cybersecurity VP

Regal Lifestyle Communities - CIO

Revera Inc. - CIO

Revera Inc. - Security Architect

Rheem Manufacturing - CISO & Enterprise Architect

Ricoh Canada - VP,IT

RioCan Property Services - VP IT

Roche - Head of IT Americas – Operations

Rogers Communications - SVP, Customer Experience IT

ROM - CIO

Russel Metals - VP,IS

Salvation Army Canada - Board Director

SCI Group - CIO

Scotiabank - Head, Systems Architecture & Platform Modernization

Scotiabank - VP - International Systems Technology

Scotiabank - Head, System Architecture & Platform Modernization

Scotiabank - Global Head, GBM Compliance & Transformation

Sears Canada - Divisional VP, Information Technology Services

Secure Energy Services - GM, IT

Shaw - Head, Customer Applications, Experience, & Strategy

Shaw Communications - VP, Technology Operations

Shaw Communications - Director, Risk Management

SMART Technologies - Director, IS Corporate Services

Smartcentres - Director IS, IT

SmartOne Solutions - President & CIO

Societe de Transport de Montreal - Division Head - Security and Compliance

Street Capital Financial - CIO

Sun Life Financial - AVP, Data & Business Intelligence Services

Sun Life Financial - VP Application Ops & Services

Sunco Communication - COO

Suncor Energy Inc. - Director, Application Portfolio Optimization, I&PM, Business Services

Symcor - CTO, VP Technology Services

Talisman Energy - SVP IT & Business Services

TD Bank - Enterprise Architect

Teknion - SVP, CIO

TELUS - Chief Security Architect

Tervita Corporation - VP, Information Technology

The Hudsons Bay Company - VP Technology

The Hudson's Bay Company - SVP & CIO

The Source - VP, Information Technology

TMX Group - CISO & Global Head of Infrastructure Services

Toromont Industries - VP & CIO

Toronto District School Board - Chief Technology Officer

Toronto Hospital for Sick Children - Director of Technology

Toronto Parking Authority - CIO

Toronto Police Services - CISO

Toronto Transit Commission (TTC) - Chief Enterprise Architect

Toronto Transit Commission (TTC) - CIO

Toyota Canada - National Manager, IS

Transamerica Life Canada - CIO

Trican Well Services Ltd. - Director, Business Information Systems

Tridel Corporation - CIO

Trillium Health Partners - IT Director, Applications & Clinical Informatics

UFA Cooperative - VP & CIO

University of Calgary - Executive Director, Development Services

University of Ottawa - CIO

University of Ottawa - Senior Director IT Services & Infrastructure

University of Toronto - Director, Centre for Management & Technology

University of Waterloo - Director, Technology Entrepreneurship

Valencia Risk - Managing Director

Vancity - VP Technology & Solutions

Viterra - Director Enterprise Technology

Wawanesa Mutual Insurance Company - Director of Innovation Outpost

World Health - Director IT

Wolseley Canada - CIO & COO

WSIB - Board Director

Yellow Pages Group - Director - Enterprise Data Management

York Region District School Board - CIO

York University - Board Director

Leadership Archive