CIO crime watch: Five critical security challenges for IT leaders
Image: Angus Greig
Share on LinkedIn
Share on Xing

CIO crime watch: Five critical security challenges for IT leaders

Mark Shapland – September 2014

Ben de la Salle, head of IT security and risk at Old Mutual Wealth, identifies the threats that keep CIOs awake at night.

IT security is never far from the top of every CIO’s agenda — and for good reason. The combination of the reputational damage and cost that a major breach can inflict on an organization can be career damaging to even the most valued CIO.

E colour De La Salle Shot

Analysts at B2B International estimate that the average cost of an IT security breach to large organizations in 2013 was close to $650,000. And that growing wave of cybercrime translates into a cost to the global economy of $445 billion, according to a recent study by the US Center for Strategic and International Studies.

To counter that, organizations worldwide will spend $71.1 billion on information security in 2014, up 8% over the year, according to Gartner. Indeed, investment in measures to prevent data loss alone will jump by almost a fifth during the year, says the analyst group.

Behind those numbers is a set of daunting challenges, say experts like Ben de la Salle, head of IT security and risk at investment company Old Mutual Wealth. He singles out five key challenges that CIOs need to stay on top of — and address.

1. Tackle mobile vulnerabilities

For the CIO, mobile technologies represent the biggest current threat. Employees and customers want to be able to do much of their work via mobile devices, and this means providing access to internal documents, email, customer accounts, financial data and so on.

As a work device, the mobile phone is still in its early stages of its evolution, says de la Salle, and that immaturity makes it a prime target for hackers looking to access sensitive information. 

“Any new platform brings new threats. For the moment, mobile platforms are not really built with security in mind,” says de la Salle.

The downloading of apps presents the biggest headache, he argues. With no opportunity to verify the security of apps that are available on Google Play and the Apple Store, companies simply have to deal with the issue of employees selecting and downloading apps — whether that’s to a work device or a personally owned phone used for work. The app Flappy Bird is just one notable example: the game was withdrawn by its founder in February 2014 only for hundreds of lookalike versions to emerge and become targets for hackers.

2. Don’t neglect ‘legacy’ threats

CIOs will rightly spend a lot of time monitoring and addressing new threats to the latest platforms. Yet just as important is keeping track of some of the older vulnerabilities as hackers update tactics and find new ways to attack, says de la Salle. “Phishing” — in which hackers try to glean personal information through what looks like an authentic company email — remains the most common form of attack, he points out. “Continuous improvement of the existing control framework is critical, including network defenses, anti-phishing, malware and physical controls.”

3. Educate users about cyber threats

A key part of the CIO’s role is to ensure the board, senior management and employees are suitably informed about the threats they face, so everybody in the organization spots danger signs and reacts to them appropriately.

Aside from providing specialist training, the security team needs to maintain a constant flow of communication via email, internal blogs, corporate social media and other channels so that staff are kept aware of security issues. But a two-way communication needs to be encouraged: the organization needs to create the right culture throughout so staff willingly ask questions and report concerns.

“At Old Mutual Wealth, we’ve created a culture where employees feel comfortable about asking the security and IT departments about any concerns they might have, an open environment that encourages the understanding of cyber threats,” says de la Salle.

Employees need to stay alert and use their common sense. That can range from ensuring they don't accidentally email confidential information to the wrong address to avoiding clicking on suspicious links in messages.

4. Broaden due diligence

CIOs must ensure that they undertake appropriate due diligence checks when they engage with both new suppliers and new clients. Hackers will often deliberately target smaller firms working for corporations knowing that the smaller entities potentially hold important client data in a less protected environment. But such checks have to be carried out with diplomacy and sensitivity.

Investment bank Merrill Lynch, for example, openly disclosed last year that it now audits the cyber security practices of its outside law firms to ensure the data it shares with them is being treated appropriately.

“Conducting suitable levels of risk assessment and due diligence on third-parties is important. We do background checks on firms of all sizes, from our largest partners to the firms that supply our toilet rolls,” says de la Salle. “Most of the time we work collaboratively [to obtain the right security levels]. And most suppliers we work with have the right mentality and are doing the right things already. But naturally we will deselect some from the process when it is felt their IT [security] is not up to scratch.”

5. Manage ‘shadow IT’

When line-of-business budget holders and other staff are buying devices and applications outside the control of IT, the CIO must strike a delicate balance between banning all outside tools for security reasons and encouraging productivity gains by allowing users to adopt tools of their choice.

At Old Mutual Wealth, certain tools — Dropbox, Facebook, LinkedIn’s messaging service and a few others — are on the not-suitable-for-work list. But the IT organization has been proactive in satisfying demand for such functionality. “There is no obligation on technology companies like Dropbox to protect any data our employees store there. We do not know where the company holds its information or the number of copies it maintains across its data centers.” Instead, Old Mutual Wealth has constructed its own internal cloud service to facilitate such file transfers.

First published September 2014
Share on LinkedIn
Share on Xing

    Your choice regarding cookies on this site

    Our website uses cookies for analytical purposes and to give you the best possible experience.

    Click on Accept to agree or Preferences to view and choose your cookie settings.

    This site uses cookies to store information on your computer.

    Some cookies are necessary in order to deliver the best user experience while others provide analytics or allow retargeting in order to display advertisements that are relevant to you.

    For a full list of our cookies and how we use them, please visit our Cookie Policy

    Essential Cookies

    These cookies enable the website to function to the best of its ability and provide the best user experience for you. They can still be disabled via your browser settings.

    Analytical Cookies

    We use analytical cookies such as those used by Google Analytics to give us information about the way our users interact with - this helps us to make improvements to the site to enhance your experience.

    For a full list of analytical cookies and how we use them, visit our Cookie Policy

    Social Media Cookies

    We use cookies that track visits from social media platforms such as Facebook and LinkedIn - these cookies allow us to re-target users with relevant advertisements from

    For a full list of social media cookies and how we use them, visit our Cookie Policy