Kevin Angland, CIO of IAG New Zealand, is empathic about the critical role of education awareness when it comes to cyber security, and why security should be considered from the outset of any process in the organisation.
“We see events occur in the marketplace and they immediately become a trigger for us to say, ‘Well okay, have we got enough certainty that we could stop that happening here?’”
Some of that will be the education component of reminding people, and others would be from an IT perspective of putting more risk mitigation processes in place to stop cyber attacks from happening, he says.
He says IAG has a strong learning and development process.
“It’s not something that's just IT specific, we’ll bundle that up with other online learning programs.”
IAG has a head of information security that reports to him, and a new role, the chief risk officer.
Information security is everybody’s business.
“What we’re doing now is bundling risk aspects under an executive who is responsible for risk,” he says.
“If you think about our organisation, our biggest asset is the information and the data that we hold around our customers,” says Angland.
“We would say information security is everybody’s business because a security breach could be as simple as putting the wrong customer’s information in an email and sending it somewhere that it shouldn’t have gone.”
“So the big role of the information security team is, to a large extent, the boundary protection and making sure we’ve got mechanisms in place to prevent breaches.”
IAG has a holistic approach to information security. Depending on the scenario, Angland says the organisation has a crisis management process. That could be anything from a fire at a major site or an earthquake, to a potential information security breach with significant media reputational risk attached to it, he says.
“We would invoke our crisis management plan, which has a mixture of leadership across the organisation. It's not IT specific; it's an organisational wide process.
“We are an insurance company. And so our job is to identify, manage, and mitigate risk.”
Insurance is also one of those industries that are moving more and more online, he says. “We’ve got to be absolutely certain that in building new solutions, which is what our customers want, that we’re not exposing that asset or the organisation to risk.
“That’s a key: We don’t deploy any new public facing technology without conducting a significant amount of security penetration testing on that solution before we would make it live.
“Security is designed in at the outset rather than ‘now [that] I've got all this, how do we secure it?’”
Send news tips and comments to divina_paredes@idg.co.nz
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Sign up for CIO newsletters for regular updates on CIO news, views and events.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.