Getting cyber secure is tipped to be one of the top challenges for businesses in 2015, so we spent ten minutes with IT Governance’s chief information officer (CIO), Neil Acworth, to find out more about him, what makes a good CIO, and the top information security challenges he faces.
- Where did you graduate? Leeds University, UK.
- How long have you worked at IT Governance? Just over two years.
- What qualifications do you have? BEng, MSc, TOGAF and various, now expired, development certificates.
- How many years’ experience do you have in IT? 20.
- What is your favourite part of the job? Fixing things that aren’t working.
- And your least favourite? Not having the resources to do everything I want to do.
Could you give us a breakdown of your duties as IT Governance’s CIO?
There are three strands to my job: I’m responsible for improving business productivity through automation, integration and better use of software; for managing our infrastructure and helpdesk function; and for looking after our software development business, which exists to provide internal solutions and enterprise software products – all while keeping on top of information security risk and maintaining compliance with the PCI DSS, ISO 27001 and ISO 9001.
How did you get interested in information security?
If you work in IT and you’re interested in doing well, then you have to be interested in information security. It’s got to be ingrained in everything you do, whether you’re a junior developer or a CIO. Having said that, it’s probably five years ago, when working as an enterprise architect, that I really started putting it at the centre of things and thinking about security in terms of availability and integrity, rather than just being about restricting access.
Working for a private firm, what do you feel are the biggest information security challenges?
There’s no such thing as perfect security so with any business the trick is to understand the level of risk and respond accordingly. The difficult bit is knowing whether what you’re doing is effective. You’ve got to have a comprehensive security management system that’s audited regularly. We’re obviously advocates of ISO 27001 and I’m very lucky that we have a dedicated Technical Services team that offers security penetration testing; we test our own infrastructure and people regularly.
How difficult is it to get board approval for security projects you’d like to move forward?
As a board, we’ve already agreed that we’ll follow and comply with ISO 27001, so from my point of view the hard work is already done. We don’t have unlimited resources or budget, so we make sure we spend our time and money most effectively by following ISO 27001’s risk-based approach, and this allows us to prioritise projects effectively. The decision-making is simple and transparent; we do what we need to do to bring risks within our acceptance threshold.
Security is a big part of your life. How do you make sure everyone at IT Governance (from the cleaner to the head of training) is following best practices?
Among other things, we sell online training courses for staff awareness, and we use them internally to ensure our staff are educated and assessed regularly on security issues. Tracking staff performance against these courses is one of our information security management system’s measures of effectiveness.
As we’re ISO 27001-certified we also carry out regular audits, both internally and by an accredited third party. This keeps us honest.
What do you feel are the most valuable qualifications for someone wanting to make a career in information security?
Personally, I’ve followed the on-the-job training route and learn as I go along, but I’ve been fortunate to work with some very well-informed people. If I was going to start again I’d look into getting CISSP or CISM certification.
How do you feel technology (e.g. mobile, BYOD, Cloud, etc.) has changed your job role?
Technology has made some things much easier, particularly with Cloud services. There are economies of scale with security and by choosing wisely you can actually improve your security by using the right providers. They’re like moneylenders: you’ve got everybody from the street corner loan shark to the triple-A rated bank. Looking for the appropriate certifications is critical.
The flip side is that the boundaries are now very blurry: you can’t think in terms of a network, a DMZ and the Internet anymore. BYOD has raised people’s expectations of what IT should be providing but the solutions to the problems it brings aren’t there yet.
Where do you see yourself in five years’ time?
Ideally, on a beach in the Bahamas…
If you’d like to stay up to date with the latest cyber security news, challenges and how you can deal with them, sign up to our Daily Sentinel.