Learning from Others: Sony and the emergence of the CIGO

Hacking is something that could happen to any one of us, with our private records compromised. The secret to defending yourself or your organisation lies in learning lessons from others and considering who might want to target you – some basic principles of risk management.

So, looking to Sony, who suffered probably the most high profile ‘hack’ of recent months. Sony had previously been targeted, but it seems had not learnt from those attacks that it and others had suffered. Despite the technical and human resources at their disposal, several terabytes of data was stolen, seemingly with no-one noticing anything amiss – how could that be possible?

Some of the methods used in hacking are quite basic – many corporates hold directories of static passwords for some pretty powerful system accounts. Many struggle with getting the right balance between security and usability – the tougher the security measures get, the more employees will try and find ways to make their lives simpler (post-it notes with passwords on stored under keyboards anyone?). IT Departments, with responsibility for information security, are often seen as ‘cost centres’ and targets for budget reductions, often in conflict with demands to improve cyber security.

That said, strong layers of defence against the outside world is one thing, but organisations still need to be checking on the inside – employee awareness and behaviours, social engineering, increased adoption of BYOD and social media for business use all bring their own threats – both in terms of reputational damage and also financial damage. Writing to one customer to inform them of their credit card details being compromised might cost £1, but what if it is to a million customers? JP Morgan had to admit in 2014 that some 80 million customers’ details had been compromised by a Russian criminal gang.

In conclusion, the role if the CIO / IT Leader is becoming increasingly fraught with risks and pressures on reducing costs of ‘technology’, so much so that we may soon see the principle responsibility for all aspects of technology and information management residing with the ‘CIGO’ – Chief Information Governance Officer. The role of the CIO emerged over many years, the role of the CIGO may well come around much quicker.