Avoid a security breach: Nine things every CIO can focus on

Avoid a security breach: Nine things every CIO can focus on

Tait Communications CIO John Emerson discusses why security of information is a prime concern, and where to start to make a difference.

John Emerson, CIO for
Tait Communications, says a security breach can impact an organisation at least four ways: Loss of reputation, customer or community trust, intellectual property theft, loss of investor confidence market share and revenue, and legal action.

Security is as much of a concern for shareholders as regulators, he says. “Ultimately though, it doesn’t matter how a hacker gets in. Once they are inside, the damage could be substantial.”

He points out the case of a large Australian company that lost 20 percent of its market value within three days of a security breach being disclosed.

He lists nine areas CIOs can focus on to reduce the likelihood of this occurring in their respective organisations:

Mobile devices

Include work and personal devices, particularly if they operate on public networks, including TCP/IP.


Background check staff and ensure they participate in the development (or upgrade) of your security policy.

Land Mobile Radio (LMR) network

Include base stations, devices and software.

Other networks

Local area, wide area and the cloud; if these appear secure, pay an accredited organisation to try and break in to test it.

Vendor supply chain (products and services)

Ensure they have ISO 27001 certification.

It doesn’t matter how a hacker gets in. Once they are inside, the damage could be substantial.

John Emerson, Tait Communications

Bring your own device (BYOD)

Policy and processes should be in place to protect and secure private data and applications.

Social media

This creates new opportunities for hackers even on a work device at home. Ensure this is covered in the security policy.

Physical security

Often overlooked, ensure processes around access logs, swipe cards etc, are stringent.

Software applications

When considering new applications for purchase, ensure they are secure.

Related: Expat CIO returns to pick up on Tait's 'innovation DNA'

John Emerson takes on the global CIO role at Tait after ICT leadership roles offshore.

Related:Global Information Security Survey 2014: On the defence

Are New Zealand organisations prepared for the constantly evolving information security threat landscape? How do they compare with their global counterparts?

2014 is the tipping point year of mobile malware

Read more: AT&T: The CIO security checklist

Money: The Root (kit) of cyber evil

Ammar Hindi, managing director, Asia Pacific for Sourcefire (now part of Cisco), talks about what networked organisations are up against – the industrialisation of cybercrime.

If anyone was in any doubt as to how lucrative the cybercrime industry is, one should look no further than the recent case in the US where a gang allegedly drained the cash from two Middle Eastern banks by hacking into credit card processing firms and withdrawing money from ATMs in 27 countries.

Regardless of the specifics of the situation, however, it has been clear for some years to those in cyber security is that cybercriminals are well motivated, well equipped and well-skilled to make huge amounts of money through their illegal activities.

Indeed, today's cybercriminal gangs are so well organised that often they buy "off the shelf" rootkits and software, which they use to carry out their activities. Often this software comes with manuals, 24/7 tech support and, in some extreme cases, advertising. They also use the internet to gather a "distribution" network around the world to deliver their attacks, either physically or online via botnets.

Of course losing cash is not the only risk companies face from cybercrime; many high profile attacks on major brands have seen their reputation and stock price damaged by breaches of sensitive information. And while many in the industry readily understand the risk, some at the board level in business seem to live in a kind of denial that it can happen to them.

Before we blame them for this oversight, however, maybe we should appreciate their situation. Year after year, they hear from analysts and observers how security is vital, and so they duly write cheques for the newest and best technology in security to protect their businesses.

But unfortunately in today's security world, writing cheques is not enough. Building up the walls and layering defences will stop some of the attacks, but such is the resourcefulness of the cybercriminals, they will still get in.

Today it is a matter of being able to track how a network was compromised; how the malware got in; where it went to once inside the organisation; and what it did - even if it did all of this days or weeks ago.

Security has changed and there is no silver bullet as many senior management staff have unfortunately discovered.

Related:Step up and engage the board about information security

Security is no longer simply an operational concern. As technology has become the central component of nearly all business processes, security has become a business concern. As a result, information security should sit firmly on the boardroom agenda.

Send news tips and comments to

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags CIO roleCIO100Tait CommunicationsJohn Emerson

More about 24/7CiscoCisco SecurityCisco SecurityEmersonFacebookISO

Show Comments