Put IT security in hands of a chief risk officer, says Canadian expert

Organizations must take IT security away from the information technology department and put it in the hand of a chief risk officer if they want to make a meaningful dent in the increasing number of cyber attacks, says a security expert.

“Something that important shouldn’t be left to the techies – and I am a techie,” Jose Fernandez, associate professor of computer engineering at Polytechnique Montreal and co-investigator at the Smart Cybersecurity Network (SERENE-RISC), said in an interview this morning. The network, which holds its second annual workshop in Montreal starting Tuesday, is a group of academic, government and industry researchers trying to help governments and the private sector manage online risks.

“This is not a technology problem,” Fernandez said. “IT security is a business problem, and until we view it that way then it’s going to grow and will start taking down large corporations.”

The risk officer, who in his view has to report either to the board of directors or the CEO, must have responsibility over all departments, he said, to make sure users “aren’t doing stupid things like going to Web sites and getting infected,” are managing corporate information correctly, and in some cases ensuring that business processes are re-engineered.

Fernandez is one of the speakers at the workshop, which will look at global cybercrime, the work of the federal Canadian Cyber Incident Response Centre, cybersurveillance, information and security research, data breaches and underground markets.

Fernandez will talk about a pilot study he and others undertook in 2011-2012 on the effectiveness of anti-virus software on 50 laptops given to a random number of users over a four month period. Among the findings after looking at the machines was that the software on 19 PCs were able to detect and stop infections, but on 10 viruses were able to penetrate defences.

Researchers also made some interesting findings on user behavior, including that computers owned by men were no more likely to be infected than women, nor was age a factor. But one finding that surprised him was that users who had some computer expertise were more likely to have their laptops infected.

“It’s almost a little knowledge is a dangerous thing,” he said. More likely is that these people are less risk adverse, he said.

Another conclusion from the data is that porn sites aren’t the most likely source of malware. Sports and entertainment Web sites were also places where users PCs became infected. Rather than drive users to an infected Web site, cybercriminals are increasingly using ads on popular web sites, he said.

He acknowledged that the study’s small sample isn’t sufficient for policy-makers to use, but it is useful to show where research can go. “It’s important that corporations do these studies every once in a while,” he added.

The Globe and Mail reported this morning that more C-suite executives are taking cyber security seriously, with 60 per cent saying they are spending more than they did two years ago.

But, Fernandez said, if only money is being thrown at the problem it will be wasted.  “It needs to be a top-level led effort”

Many researchers and vendors are looking for solutions to the increasing number of reported data breaches, but he said the fallacy is trying to find a silver bullet –one solution, one piece of software or hardware. “We in society, in industry and government have to start giving this problem a priority. At the same time the actions we can take can mitigate the problem quite a bit. These actions are a combination of technology, but more importantly user awareness and putting incentives in the right place” – such as criminal and civil sanctions, as well as rewarding those within corporations for making the right decisions.

He described the current state of IT security as “the next global warming crisis.” It needs to be taken more seriously because the potential for cyber attacks to shake not only the global economy but also democracy “is quite great.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now