Mark Uemura, Head of Security and Infrastructure at Flight Network, examined bring-your-own-device (BYOD), compliance and various IT security concerns in his keynote presentation to Argyle's CIO membership at the 2017 Chief Information Officer Leadership Forum in Toronto on September 27. In his presentation, "Information Security: A Real World Example with Lessons Learned," Uemura offered insights into IT security issues and provided recommendations to help CIOs quickly and effectively address these problems.
According to Uemura, CIOs often face a difficult choice. On the one hand, CIOs want to help employees use mobile devices and other tools and technologies that drive anywhere, anytime collaboration. Conversely, ensuring sensitive data remains secure at all times can be challenging, particularly for companies that strive to allow workers to complete tasks remotely.
"We wanted to allow people to work, but we didn't want to allow them to take the most sensitive personal data … and leak it to the internet," Uemura stated. "But we also didn't want to be Draconian and block their internet access."
Ultimately, CIOs must remain flexible with IT security. CIOs who are able to analyze IT security issues and adapt their IT security policies accordingly may be better equipped than others to safeguard their respective companies against myriad cyber threats.
"If I didn't change the policies, I couldn't implement the new technologies and solutions that would actually allow people to be more productive and more efficient," Uemura said.
CIOs also must be able to implement IT security technologies that are difficult for employees to bypass.
"What we wanted to do is make the security part more transparent."
In many instances, employees may be able to shut off certain IT security capabilities on their work computers. But CIOs who take a proactive approach to IT security technology implementation can ensure that employees won't be able to bypass numerous security measures.
"In many highly regulated companies, things are so locked down that security is always hitting people in the face," Uemura noted. "Unfortunately, tech-savvy individuals can bypass all of the security goodness that we implement to try to prevent security badness from happening."
Although CIOs have a wide range of IT security options at their disposal, one of the key parts of a successful IT security strategy is education. With the right training programs in place, CIOs can explain how employees can mitigate cyber risks and teach workers about the consequences of failing to comply with IT security policies.
If CIOs develop training programs to teach workers about IT security, they can help employees identify cyber risks before they lead to cyberattacks. As such, CIOs should allocate substantial time and resources to education, as IT security training programs can deliver immediate and long-lasting benefits to a company and its key stakeholders.
"We disabled everything for the sake of data loss prevention," Uemura indicated. "Yet we leave a gaping hole to the internet. We used education, and it helped [key stakeholders] understand the risks. However, it's best not to rely on the end user to do the right thing. Not allowing direct internet access from trusted environments is key."
CIOs should prioritize data leak management as well. Because if a single source of data leakage becomes apparent, it could cause a company to suffer a major data breach.
"If you have just one port open, it's trivial to leak data," Uemura noted. "We had more than one port open … and that wasn't good."
When it comes to developing effective IT security practices, it usually helps to consider multiple perspectives too.
"We wanted to allow people to work, but we didn't want to allow them to take the most sensitive personal data … and leak it to the internet."
For example, Uemura indicated his company evaluated how data may be leaked, along with how it could help its employees avoid data loss. This approach enabled his business to determine how to safeguard its sensitive information and effectively deploy BYOD.
"When you are adopting a BYOD policy, you have to assume that your staff are going to connect from compromised, malware-infested home PCs. You are forced to explore ways to work around and mitigate these [IT security issues]," Uemura stated.
Employees may have access to a wealth of sensitive information on a day-to-day basis. However, CIOs are responsible for protecting this information and must do whatever they can to avoid data leakage.
By providing workers with solutions and devices that feature built-in security capabilities, a company can minimize risk and help employees optimize their productivity and efficiency. In fact, these solutions and devices simultaneously enable employees to perform everyday tasks and limit the risk that sensitive information will fall into the hands of cybercriminals.
"We knew that [stakeholders] weren't security experts and probably wouldn't follow key policies," Uemura said. "What we wanted to do is make the security part more transparent. We wanted to build security within the solution and not provide anyone with the ability to toggle security capabilities on and off."
Over time, CIOs can implement proven IT security solutions, reduce the risk of cyberattacks and foster trust with an entire workforce. In addition, CIOs can collaborate with employees at all levels to learn about their IT security concerns and ensure that these workers can reap the benefits of IT security solutions that are both effective and user-friendly.
Mark Uemura is a Senior Director of Security and Infrastructure at Flight Network, an Online Travel Agency. He has worked in both small and large organizations over the past 20 years implementing practical solutions that enable, secure and empower businesses through the use of technology. He is also passionate about people development, fostering strong company culture and building ideal work environments to inspire teamwork and innovation.