Our Head of Security, and CISO Service lead, David is recognised as one of the Top 10 influencers by Thompson Reuters, and a Top 50 global expert by Kingston Technology. He is also one of the Top 30 most influential thought-leaders and thinkers on social media in risk management, compliance, and regtech in the UK.
In his role as Head of Security at QuoStar, David leads the CISO Service. The CISO service provides businesses with the cyber-security skills and experience necessary to manage the multitude of threats and rapidly changing risk landscape of today, on a flexible and cost-efficient basis. David take’s a moment to share his views on it all.
1.How did you get started in the security field and ultimately become a CISO?
David: I was around when some of the first Viruses went mainstream. Back then I worked for one of the only companies that made Multi Factor Authentication systems in the 90’s. It was “leading edge” at the time.
I built and ran one of the largest commercial remote access platforms using Multi Factor Authentication. Then I ran Infosec for some FTSE 100 companies, one of which was the largest private trading network in the world – trading 3.5 trillion dollars a day. Another was managing Global Security Services Operations Centres (24/7) across 4 continents, where most of the customers were FTSE 250.
2. What do you enjoy most about working as a CISO Service resource/consultant?
David: Meeting challenges of audit, due diligence, and breach management.
Audit is getting more involved and complex and due diligence is often 300-400 questions and an “interview” with the compliance department of potential customers.
Breaches is about managing with around 10% knowledge of the situation and making decisions in a very short time for the best outcomes – while ensuring buy in from the board. They always seem to happen on Friday evening!
3. As Head of Security, what challenges or issues do you regularly see in small and mid-market businesses? Why do you think the same issues keep occurring?
David: 1. Robust management of access and privilege management. 2. Managing risk consistently. 3. Not aligning Cyber Security with Data protection requirements – as they overlap at a core level.
If you have control of the information assets servers and cloud, information security is much easier to manage. It enables savings in resource and effort if this happens and can demonstrate to the business control and improvement.
4. How do you think the security landscape has changed in the last five to ten years?
David: As a CISO Service lead, I believe it is manging the hybrid of internal servers and cloud – and managing the challenge of access control. The company boundary is very fluid, especially where ‘what’s company and what’s personal’ is concerned.
One of the best frameworks is ISO27001. It is good for demonstrating accountability and decision making. It also aligns with SOC2 and parts of HIPAA quite well.
5. What do you think will be the emerging risks businesses need to consider in the next 1-2 years?
David: It used to be technology first, then followed by making technology safe and compliant. Now technology needs to be safe and compliant first, and performance orientated second – along the lines of what has happened in the automotive, aerospace, building and food industries.
The risks potentially surround the technology itself not having enough security management capability, or that if it does it can be resource intensive. There’s also the globalisation of threat actors and the capability of managing multiple global data protection regulations.
More recently the US Biden government issued a memo to US Businesses in summary June 2, Stating the 5 best practices – one being Multi Factor Authentication. Other important aspects are multi-pronged backup Updates, Incident Response, external testing and network segmentation.
6. Has the Covid pandemic exacerbated security concerns or introduced new ones for businesses to deal with?
David: Probably, due to homeworking and fast transformations of moving office servers to the cloud, as well as an increase in Ransomware attacks, an increase in Data Protection legislation globally and the increase in corporate security concerns due diligence.
It has been an increasing challenge for a Head of Security. We have seen an increase in demand from due diligence enquiries, especially for more detailed homeworking policies and guidelines. So, the lines have blurred as to what is home device or a work device. The “physical office” is now the home office, and mandating rules now have to be guidelines that are appropriate – as well as using more layers of defence to protect staff and corporate assets.
7. Do you think businesses focus too much on the technical/technology element of security (e.g. AI solutions)? What other areas do they need to consider?
David: Potentially yes, without an end-to-end strategy, it makes security technology “tactics” unlikely to see a ROI, Return on Investment.
As Head of Security, I see the human element of security is also overlooked quite often. Especially when you consider that almost half of all security breaches are caused by human error. This is even more disconcerting when you consider that only 60% of employees will report a security breach too.
We are actually hosting a free webinar on that subject on 29th July 2021 at 1pm, so if you’d like to know more register for free.
8. How important is cyber-security education? What are the challenges for a Head of Security conveying the risk/educating business? Who in the business needs to receive education/training and how often?
Education is very important, as is having the appropriate training for each role ideally aligned to the companies risks – so that maximum benefits can be realised e.g. developers would require different training from HR staff, as the risk they are managing are different.
Of course, there will always be a need for baseline cyber and data protection training. You can find out more about what Security Awareness Training there is available for employers and employees in our article here.
9. Do you feel there is a security skills/talent shortage? What advice would you give to businesses to combat this?
David: I’m not entirely sure. If there is a shortage, there is definitely a misunderstanding of what skills are required.
Personally, I would align the risks and the strategy, then decide what skills are required to make it happen. It may be that companies would benefit from outside help – to formulate the strategy, and always have access to a range of skill levels onboard to achieve skills resilience.
The other issues that many companies seem to come up against are 24/7 and global, so having just one capable Security resource will not be enough to cover these time periods.
10. As Head of Security, what advice would you give to businesses who want to reduce risk and increase their security posture?
David: Manage Risk regularly with key stakeholders.
Ideally do not remove a risk or lower a risk without evidence, from at least the following e.g. a Policy, Procedure, Penetration test, Internal Audit, External Audit or risk committee approval. This will demonstrate accountability and assist in managing data protection, to enable a defensible position in the security posture.
Ensure a multi-layer approach to security. Utilise things like Access control, least privilege, Approved applications, strong email defences, layered endpoint security, centralised control of endpoints and access, plus multiple point backups.
11. If there was one security investment you could recommend to businesses what would it be and why?
David:
One piece of tech most companies aren’t using
To keep companies ahead, Secure Access Service Edge will help with Cyber security and Data Protection. The ROI is great! It releases staff time, and the payback can be in months.
One Framework
You can manage risk and accountability using ISO27001 framework. If you are not going to be certified, ISO27001 also helps align with NIST, SOC-2 and can help align some components of Data protection. It can clearly demonstrate accountability.
Training that is focused to the role in the business is most appropriate, using the “Incident” metrics to tailor training and technology requirements.
One practice
Have a data/Cyber champion in every business function so you’re able to manage threats, risk and increase incident reporting capability to enable “real-time” issue management.
We hope you found David’s current take on Cyber-Security insightful. During his career David has worked across multiple sectors, including financial services, government, utilities and FinTech, working with a variety of clients – from start-up level and SME up to FTSE 100. He previously held the role of Global Head of IT Security at BT and Radianz (formally Reuters). He’s also been responsible for managing the security infrastructure and delivery of ISO 27001 for multi-billion/trillion-dollar environments. He is also an active CISO consultant on our CISO service offering.
Having a CIO-level professional on your board is the first step to treating IT as a strategic asset rather than a cost. Question is, full time, interim or virtual CIO?
IT is no different from any other business-critical area. You know a transformational IT roadmap will bring significant operational and financial benefits, but you need a professional with the right skillset to pull it all together. It needs a strategy, leadership, and ongoing management if you want to achieve measurable returns and competitive advantage. A CIO – but do you need that position filled in-house or with a virtual CIO?
A CIO (Chief Information Officer) is usually the most senior technology executive inside a business. They hold responsibility for the IT strategy and determine areas for improvement and development within the IT systems and processes. A commercial mindset, extensive experience as well as a deep understanding experience of technology and its application, is necessary for a CIO.
A CIO will focus on IT strategy and leadership, ensuring that IT is aligned with business goals.
Unlike an IT Manager, a CIO is more outward-facing. They will focus on IT strategy and leadership, ensuring that IT is aligned with business goals and works in unison with the overall business strategy. However, as the CIO is often the executive level interface between the IT department and the rest of the business, they need to keep abreast of day-to-day operations and issues. Any IT projects will likely be owned by the CIO, and they will be accountable for signing off on the solution and the implementation. They will ultimately be responsible for the project’s success, outcomes, and ultimately the ROI. A good CIO can see past emerging technology hype.
Many businesses assume that the only way to gain access to a CIO’s knowledge and experience is a permanent hire. While this is certainly one option, it can be costly and unnecessary for your current needs. If you’re flying blind how will you know they really are as experienced in the field as you require? There are alternatives available that may be a better fit for you.
We explore four different ways businesses can fill the CIO role: Full-time Permanent CIO, Interim CIO, Virtual CIO and a CIO service. We look at pros and cons of each to help you with the decision-making process.
The 4 types of CIO you could hire
- Full-time, permanent CIO
A full time permanent hire CIO is an experienced technology leader who sits within the business at board level, with full time generally meaning 40+ hour week for most – and doesn’t come cheap.
What are the benefits of hiring a full-time CIO?
- Dedicated and experienced IT leadership at board level
- Effective IT strategy that works in unison with the business strategy
- Removes the load from senior leadership, allowing focus on their expert areas of the business
- Delivery of operational improvements and a measurable return – they’ll advise on the right investments
- Significantly reduces the likelihood of poor project outcomes, disruption and disgruntled staff.
- Enables businesses to address and manage risk more effectively
- Awareness of evolving threats, as well as changes in the commercial landscape
- Gives a competitive edge, allowing the business to mitigate risk and capitalise on opportunities their competitors may be unaware of.
What are the disadvantages of hiring a full-time CIO?
- The CIO skillset is in high demand – these senior professionals can pick and choose their roles to some extent
- The specialist knowledge makes a CIO an expensive hire. (Average salaries are around £141,000 but can be upwards of £200,000)
- If this is the first CIO a business has hired, then senior leadership may be unsure of what they need.
- Difficulties assessing candidates’ experience and whether it aligns with business needs only serve to make the process even longer
- Mid-market businesses may not have the requirements for a full-time CIO
- Although the strategic direction and commercial focus will undoubtedly be of benefit, a less complex IT environment and a lower capacity for projects could mean a limited scope for change
- Research shows that CIO tenures are short, with an average of just 4.3 years – making them the shortest-tenured C-suite exec
- Two-year stints aren’t uncommon as CIOs often want new challenges and the opportunity to deliver real change.
- A full-time CIO may turn out to be a very expensive, short-term hire. You might find yourself stuck in what feels like a constant recruitment cycle.
- Interim CIO
Also known as a Contract CIO, an Interim CIO is an experienced technology leader who temporarily fills the CIO role. The average tenure is between six months to two years and an Interim CIO is usually bought in to tackle a specific challenge while the business transitions between permanent CIOs. However, they are also sometimes hired to support and mentor a newly hired or promoted CIO.
An Interim CIO’s role typically falls into one of two camps:
- Responsible for building corporate resilience so the business can maintain a competitive advantage. Essentially keeping the lights on.
- A transformational role, tasked with formulating a strategic plan and executing it.
What are the benefits of an Interim CIO?
- Quicker to hire – a benefit for businesses in ‘crisis mode’ who cannot afford to wait to make a permanent hire
- A benefit to time-sensitive projects (such as an M&A) and need for immediate access to the skillset
- Their laser focus on a specific project or business area allows Interim CIOs to add immediate value
- A dedicated, experienced professional driving an initiative increases the likelihood of that project remaining on track and delivering expected outcomes
- A rich and varied CV can make Interim CIOs valuable mentors
- Experience across multiple industries, business types and environments. They will have seen a multitude of scenarios and challenges – knowledge that can aid the IT department
- Can help senior leadership make better IT-related decisions
What are the disadvantages of an Interim CIO?
- Interim CIOs are an expensive hire
- They are in high demand, and with a limited number of professionals available, they can cherry-pick their projects
- An Interim CIO is only going to be available for a set period, so there may be limits as to what can be accomplished in that time
- Businesses will need to define a clear objective for the engagement and a fixed schedule for delivery
- Existing problems in the business environment may affect the success of delivery
- Long-term or chronic underinvestment in the IT environment, problems left behind by predecessors, or a need for overall business transformation can all affect project delivery
- An Interim CIO will need to quickly get up to speed with the organisation structure and technology portfolio, and quickly win round and influence key team members to ensure objectives are met. (of course, it’s not impossible, but the senior leadership team need to be confident in their hire).
- Virtual CIO
A Virtual CIO (vCIO), also known as a fractional CIO, provides consultation on IT and technology strategy as a third party. Compared to full-time and Interim CIOs, who take an active role in company operations, the vCIO is often an advisory role.
They will have similar responsibilities to an in-house CIO, but the core difference is that the service is delivered virtually. You may not meet your Virtual CIO and there could be multiple people working on the business at different times, depending on the structure of service.
What are the benefits of a Virtual CIO?
- A vCIO Service offers significant cost savings compared to hiring internally
- Most services are offered at an hourly rate or flat fee, making it easy to budget and account for
- With a vCIO you will have someone dedicated to strategic IT management, even if it’s on a limited basis
- A good starting point for companies new to the strategic approach
- Will be better than people within the business spending a few hours here and there trying to make improvements.
What are the disadvantages of a Virtual CIO?
- Virtual CIO Services focus more on the improvement of day-to-day operations, rather than long-term strategic planning, management and innovation
- A vCIO typically works across multiple businesses, so may not be as readily available to deal with issues that arise
- Businesses which are tech-heavy or very reliant on technology will probably need a more heavyweight and involved resource
- As a virtual service, you may have little to no ‘face time’ with your CIO
- It may be difficult to build trust as the CIO may feel disconnected from the business, affecting results delivery
- Depending on the provider you have chosen, you may also need to factor in time zone and cultural differences.
- The CIO Service – a better alternative for the mid-market…
You may feel that a virtual CIO wont deliver the expertise and attention needed to achieve measurable outcomes – but you also don’t have the resources or requirements to justify a full-time hire, and an interim CIO just won’t do.
Often, it’s not operationally or commercially viable for mid-sized organisations to have a full-time senior internal IT professional. However, access to professional IT management expertise and skills offers a competitive advantage. With the right management, IT can improve the business’s bottom line, aid client engagement and service delivery, and improve staff retention.
Luckily there is a fourth alternative that bridges the gap, while still delivering tangible value on a cost-effective and flexible basis – a CIO Service.
QuoStar’s CIO Service has been specifically designed to provide mid-market businesses with the strategic IT leadership necessary to deliver the benefits of a full-time CIO but without the significant costs.
What are the benefits of a CIO Service?
- Harness the transformational potential of IT
- Enables access to the skills, expertise and commercial acumen of a CIO-level consultant
- Flexible and cost-efficient
- Supports organisations throughout their entire IT transformation journey; from evaluating current standing and areas for improvement, through to building and implementing a roadmap and change plans.
Our QuoStar CIO Service offers:
- Proven, seasoned sector-specific CIOs with a combined 60+ years’ experience
- A proven methodology and framework to deliver a strategy and transformation
- Completely embedded within your organisation – one of the team
- Guaranteed results backed by our Outcome Assured™ promise
- Delivering measurable outcomes for businesses just like yours!
If you’ve ever had to request budget from the board or tried to get buy-in for an IT project, you will know how difficult it can be to get the board engaged with IT. Despite the critical role IT plays in operations, too many senior executives still see it solely as a cost to the business rather than as a competitive advantage.
Research shows that regular conversations between IT and the board actually decreases IT and cyber risk, while increasing innovation and IT project ROI. These achievements improve the more frequently the conversations occur. Conversations that occur every quarter hold more value than those held bi-annually or annually.
However, getting these conversations to happen in the first place is often the most difficult part. IT Managers can struggle to get their voice heard at board level and IT often does not feature on the agenda as often as it should. Part of the problem is this often requires a change in culture, but the good news is IT Managers can facilitate this by framing their conversations with the board in the right way.
3 strategies to engage the Board of Directors with IT
Most organisations spend a significant portion of their revenue on their IT, so they need to be sure that it is being invested wisely and delivers a return for the business.
This can only happen when senior executives fully embrace the potential of IT and view it as a strategic asset. While it’s important that IT has a voice at board level, the conversations themselves need to be effective too. We’ve compiled three best practice tips to help IT Managers frame the conversation in a way the board will engage with.
1. Make Technology a Routine Part of Conversation
IT Managers need to think strategically about how they can navigate technology conversations with the board. Assess the levels of technical knowledge and understanding to determine whether an educational component is required and build conversations accordingly.
Some members of the board may be more technologically-savvy or be more. Identify these allies and build relationships with them as they can help you garner support for IT investment and focus from other members of the board.
Consistent communication is key so ensure IT features as standing item on the agenda or designate regular meetings where you can focus solely on IT. Strike the balance between protection and growth and build a narrative which focuses on the short term (6-12 months) and the long-term (5+ years).
Any conversations about long-term strategic planning should be a collaborative effort. IT Managers should be fully briefed on the intended strategic direction of the business so they can educate the board about the relevant risks, opportunities, and industry changes, ensuring the IT strategy supports the business objectives and the budget is allocated effectively.
2. Demonstrate the business value of strategic IT investment
You will need to make the case for IT investment, so be prepared to convey the financial, operational and reputational benefits. Back your pitches with data and present the information clearly and concisely e.g., by utilising dashboards and scorecards.
You may need to ‘connect the dots’ and give context to the risks facing the business. If board members do not understand the mitigating effects of benefits a particular solution or service will deliver, they may not be willing to allocate the funds. For example, data security might be a concern for the board, but they may not understand why the business is a target, where they are vulnerable, the effects a successful attack can have and how it can be prevented. Take into context the board’s own appetite for risk and align your recommendations and scorecards to reflect this.
Budgets can vary widely so you may wish to present a shortlist of options to the board. However, if you do decide to do this you need to ensure the board is fully aware of the limitations of each one, so they do not decide based purely on flat costs.
3. Focus the conversation on the right topics
Try not to get bogged down in the technical detail during conversations with the board. It’s unlikely that their level of technical knowledge will match your own, so they will be less likely to engage if it doesn’t seem directly relevant to the business. Instead, focus the conversations on the potential impact and deliverables of IT.
Performance
Ensure that the board understand how IT can positively or negatively impact the performance of the business.
- Financial – Link technology investments to financial performance such as profitability, margin and revenue. Demonstrating the positive impact can help the board see IT as more than an operational cost.
- Operational – Demonstrate how IT can improve the efficiency of operations and free up budget for innovation and business transformation. This may include things like automating processes, replacing legacy systems, and embracing cloud services. IT Managers can support this process by measuring, reporting, and discussing the impact of technology-driven business transformation.
Risk
Ensure the board keeps up to date with current and emerging threats, be it cyber-attacks or disruptive technologies. IT Managers can help develop the risk appetite and measures to prevent unnecessary risks from being taken. IT and Business must be wholly aligned on risk appetite levels to ensure neither side make inappropriate risk management decisions.
- Cyber Risk – Businesses must be able to protect their assets from cyber-attacks if they want to achieve strategic goals. IT Managers have the responsibility to educate the board on current and emerging risks, the potential threat to the business and remedial actions.
- Regulations – Technology can help businesses comply with regulations, but it also the subject of regulations itself – such as data privacy. Boards need to be aware of how technology can speed the process of meeting compliance policies, as well as where regulations may require additional investment or affect company priorities. Conversations should focus on the positive and negative implications of the regulations, the opportunities for rationalisation and any other business impacts.
- Industry Challenges – New technologies can topple a company’s competitive position and business models. Help board members understand the risks and opportunities of technology-driven industry disruption to ensure the business doesn’t fall behind.
Strategy
IT Managers should help guide the overall business strategy by educating board members on the strategic potential of IT and other disruptive technologies
- Innovation – IT Managers can help create a bolder risk appetite by demonstrating how the effective use of technology can result in business growth. Successful innovation requires a culture of continual incremental improvements. Boards need to give IT Manager the opportunities to test, experiment and analyse.
- Data – Help the board understand how technologies such as machine learning, natural language engines and AI, can help businesses better collect, process, and analyse customer data. Highlight how this data be used for more effective decision making and monetised for business success.
- Client Experience – Customer demands are constantly changing and increasing. Businesses need to keep pace with this is they want to both attract new customer and retain their existing ones. Service levels are a key battleground. As service levels increase across all industries, tolerance levels have declined, and customers are no longer prepared to accept reduced levels out of brand loyalty. IT Managers can help the board meet these challenges by showing how to leverage technology to proactively anticipate and address customer needs. These conversations can help ensure the pace of technology change aligns with customer readiness.
Strategic development for IT Managers
IT Managers have a huge wealth of technical experience and understanding, so it makes sense why they are often heavily focused on the technical details.
This knowledge is highly valuable to a business, but it doesn’t always translate to the board. If they do not understand, they will not engage. They need to see the business benefits of investing in IT. Requesting budget to replace an old server, for example, is not enough. However, if you explain that the new server will help increase resilience, availability, and network performance, and enable employees to deliver faster customer service, the board can begin to understand the ROI of that investment.
If you’re used to focusing on the technical details, then framing conversations in this way can feel a little uncomfortable initially. IT Managers who want to take a more strategic standpoint should seek out additional training and mentorship from experienced CIOs and IT Consultants. A dedicated Coach can give IT Managers advice and direction, provide education (where required), share knowledge and best practice, help develop a commercial mindset, and talk through challenges faced by the business and how to overcome them.
We all know that IT brings a wealth of benefits to any business. From allowing employees to work more effectively and supporting better collaboration and communication, through to enhancing service delivering and increasing customer satisfaction. Technology is now involved, in some part, in almost every area of operations and critical process – regardless of the sector or size.
However, the more entwined IT is with the business, the greater the potential exposure to IT risk. These types of risks can have a catastrophic impact, so it is vital that businesses identify IT risks, take steps to control them, and develop a robust response plan in the event of an IT-related crisis
What is IT risk management?
IT risk management is the policies, procedures, and technologies a company uses to protect their business from threats and mitigate their impact. It is essentially focused on reducing technology vulnerabilities which can affect the availability, confidentiality, and integrity of systems and data.
By identifying and evaluating potential IT risks, businesses can be better prepared for potential threats, minimise the impact of an incident and recover faster should something happen. Managing IT risk also helps guide further strategic planning by ensuring risks which may impact the business achieving its goals and objectives are identified and controlled effectively.
What are some examples of IT risk?
Threats to your IT environment can occur internally or externally, and they can be unintentional or deliberate. The potential risks are numerous, but can typically be broken down into the following categories
- Physical Threats: As a result of physical access or damage to IT resources. This could include theft, fire or flood damage, natural disasters, extreme weather, or unauthorised access to confidential data – either internally or externally.
- Security Threats: Where cyber-criminals or other malicious actors attempt to compromise your business. This could include computer viruses, malware, ransomware, phishing/vishing, business email compromise (BEC), and or other targeted attacks. Or it could involve the business, or an employee, falling victim to a fraudulent website or email.
- Technical Failures: Such as software bugs, unpatched software, system weaknesses, computer crashes or complete failure of a core piece of infrastructure. Technical failures can be catastrophic, for example, if a hard drive was corrupted and there was no way to retrieve the data. This could also include legacy technology which is difficult and expensive to maintain.
- IT Management Failures: Where a company fails to embrace new technologies or methods of working, which result in lost opportunities and reduced productivity and efficiencies. It could also include failing to deploy new software releases or updates, leaving the company open to bugs or security flaws which could be exploited by cyber-criminals.
- Infrastructure Failures: This could include things like the loss of your internet or telephone connection.
- Human Error: Such as an employee accidentally deleting important data, failing to follow security procedures properly, or losing a corporate device.
- Supply Chain Error: The disruption of critical IT processes outsourced to IT service providers and vendors.
- Operational Risk: The risk of technological failures disrupting core business processes.
- Compliance Failure: The failure to comply with industry or geographical regulations (e.g. GDPR) or regulatory bodies (e.g. the FCA, ICO)
Why does the board of directors need to be involved with IT risk management?
It’s understandable why businesses may think that IT risk management is the sole responsibility of the IT department. It is risks related to the use of technology. Technology typically falls under the IT department, therefore, that’s where IT risk management also lies.
Yet, technology isn’t the whole story.
A simple technical failure, such as the email system going down, can affect multiple teams across the business as well as clients and prospective clients. Depending on the length of downtime, this can result in lost productivity, lost revenue, and reputational damage. All of which will be reflected in the bottom line.
IT risk affects the whole business. Not just BAU operations, but the long-term goals and objectives. This risk must be considered and evaluated when determining the strategic direction of the business, which is why it is essential that the board of directors take ultimate accountability for it.
The IT department should certainly be involved in the process, as they will have a wealth of knowledge and understanding of the technical risks and the changing landscape, but it’s essential that the board understand the commercial impact as well. They need to know what the IT risks are, what the potential impact is, and the likelihood of that risk occurring, in the context of the business environment.
Only with this information can effective planning and resource allocation take place. Personnel may need to be allocated to undertake projects to address certain risks. The budget may need to be redistributed, allocated, or increased to take mitigating actions. It all depends on the board’s appetite for risk, but again, this tolerance level can only be determined with a complete and clear understanding of all the risks.
Of course, this is not to say that board members need to involve themselves in the minutiae of day-to-day monitoring. Everyone within a business has a role to play when it comes to successful IT risk management. Once the risks have been identified, categorised, and catalogued, responsibility can then be cascaded to senior personnel. They would then hold responsibility for identifying plans to mitigate that risk, and regular monitoring.
However, IT risk management should be a standing item on the board agenda. This is not an item which can be ticked off the to-do list. It is an item which needs to be reviewed and re-evaluated periodically. The rapid pace of change in the technology and business landscape means not only do the identified risks change, but there are new ones to review. There will be new technology to consider, which comes with its own complex risks. The context in which you evaluate these risks will also change as your business develops. What was once a high risk may become lower, or vice versa. As businesses are required to be more agile in practice and operation, so must they be too when it comes to IT risk management.
Taking accountability for risk
IT risk management is a business investment. One which will help companies safeguard their ability to achieve their long-term goals. It requires commitment at board level and continual review. The pace of change in the IT landscape is so rapid that not only are their new risks developing all the time, but there is the risk that the business will be disrupted if it does not take advantage of opportunities.
The process requires a blend of strong IT and commercial expertise, as the board will need to strike a delicate balance when it comes to risk appetite. An extremely high tolerance could put the business in harm’s way with unnecessary risk from being on the ‘bleeding edge’. On the other hand, extreme risk aversion can stifle innovation and development, leaving the business lagging in the market and missing out on opportunities.
Boards should not be afraid to seek external counsel from a CIO-level Consultant to manage this process. Even where a business has an internal IT resource, a CIO can provide additional expertise. For example, translating the technical risk identified by IT into commercial terms for the board and assessing the impact on business strategy.
What are the essential cyber-security measures every business needs?
In today’s digital era, advancements in technology are happening very rapidly. Therefore our defence systems against very real cyber-security threats must keep pace. If the correct measures aren’t taken, your business might be more at risk than you think. Here are 9 essential cyber-security measures your business can take.
Are you relying on the same security basics you were a few years ago?
It’s easy for time to pass unnoticed while all these advancements happen around us. Before you know it, you’re relying on the same old security basics to protect your business as you were a few years ago – firewalls, antivirus and intrusion detection software. Most people update their mobile phone software more frequently than that. So here are our 9 recommendations on how to keep your company more secure.
Why is it so important?
The truth is, we all feel impervious to cyber-crime and security breaches. It’s just something that happens to other people – until one day it’s not. Even if a direct financial attack is not a concern for a business because that’s locked down, many people are unaware of the intrinsic value of the data their business holds in today’s world.
Hackers aren’t just after your bank accounts.
Cyber-crime is now an industry that produces over £1 trillion in revenue for cyber-criminals. Ransomware can be used to encrypt a company’s files and hold them for ransom. Network penetration can enable mass data theft and crypto-jacking to harvest crypto-currencies by stealing your machine’s processing power. Money can even be gained by using social engineering to persuade employees to transfer cash to a fake bank account.
9 steps to combatting cyber-threats
- A Unified Threat Management (UTM) system
A UTM system is a combination of security appliances and acts as your gateway to the internet. - A SPAM filter
A Spam Filter tops potentially malicious files from entering your network via email. - Antivirus/anti-malware software
Antivirus and Anti-malware are applications that protect your servers, laptops and other devices from malware. - A patch management system
A Patch Management System manages the installation of software updates to close security holes. - 2-Factor authentication
2-Factor Authentication gives you a second level of security, preventing unauthorised sign-ins. - Device encryption
Device Encryption makes any data stored on the machine useless to criminals and keeps your data secret. - A regular data backup
Regular data backups. You should keep a copy of your business data at a secure off-site location in case the original is lost. - Content filtering
Content filtering prevents access to dangerous or illegal websites which reduces the risk of infection. - A disaster recovery plan
A Disaster Recovery Plan sets out how you will recover from an unplanned event such as a fire or cyber-attack.
Regulatory fines and costly lawsuits sting victims of cyber-crime too.
Keeping businesses cyber-secure is even more important since the implementation of the General Data Protection Regulation (GDPR – tailored by the Data Protection Act 2018). Businesses are responsible for their data leaks or breaches if the correct security protections/protocols have not been put in place. Hefty regulatory fines can be levied, and costly lawsuits can follow for the victims of a cyber-attack or security breach.
All businesses should ideally be looking into taking more than just the bare minimum steps to keeping the company cyber-secure, but it’s at least these 9 steps that start the journey in the right direction. The next step beyond the basics is to become Cyber Essential certified.
Cyber Essentials is a Government-backed Accreditation
Cyber Essentials is a government-backed accreditation that acts as a way to understand where your security succeeds and where it needs improvement. It’s similar to a cyber-security audit and allows you to see what your next steps in improving security will be.
Cyber Essentials still covers fairly basic security concepts, such as having the ability to remotely wipe devices, application whitelisting, daily virus scans and the disabling of OS utilities. All of which are simple things that you should already have in place. But it’s well worth going through the accreditation process if you haven’t already – it can improve your company’s image as well as open you up to working with more cyber-conscious clients.
What is a Chief Information Officer?
A Chief Information Officer (CIO) is usually the most senior member of a company’s IT team. The CIO handles the corporate IT strategy and determines areas for improvement in IT systems and processes.
Whilst in most cases the CIO reports to the Chief Executive Officer (CEO). It’s also common for a CIO to report to the Chief Finance Officer (CFO) or Chief Operating Officer (COO) instead.
The title of CIO is often interchanged with ‘IT Director’. Unfortunately, IT Director is also the name of a separate role. If a company has both a CIO and IT Director, the IT Director likely focuses on the day-to-day IT operations and reports to the CIO, who focuses on the long-term strategy and major IT projects.
What does a Chief Information Officer do?
1. Evaluates new technology
A CIO’s main responsibility is to be aware of emerging technologies and determining how (or if) they can be of benefit to the business. For example, a CIO might look at how to utilise AI, blockchain or the Internet of Things (IoT). Looking for a possible competitive advantage and/or financial benefit it could deliver for the business.
A good CIO can see past the hype of new technologies and takes a level-headed approach when determining a business case. This makes an understanding of business, as well as technical IT knowledge, necessary.
2. Manages the IT strategy
The CIO is also responsible for the creation of a business’s IT strategy. This includes infrastructure refreshes, upgrades to hardware and integrating new systems into the business’ operations. The mark of a good CIO in this area is their ability to align the IT strategy with the wider business strategy.
Thanks to being in regular contact with the CEO, the CIO will be able to communicate the needs of the IT department to the C-suite and the needs of the wider business back to the IT teams. This enables both the business and IT strategy to work in unison, rather than against each other.
3. Oversees IT projects
When the business is undertaking a major IT project, it’s usually the CIO who manages the implementation strategy. They’re also often the one who signs off the decided solution and who is accountable for the actual implementation.
For example, if the project was selecting a new line of business application, the CIO’s knowledge and their experience of technology, operations and commercial understanding are important to get the right business-enhancing solution.
How can I get a CIO?
The process of hiring a CIO can be a daunting prospect for any business, but it’s also difficult for a growing business. Since a full-time CIO’s salary ranges from £70,000 to over £240,000, procuring the funds or providing the right environment to attract and keep a candidate with the required knowledge of both IT and business plus several proven years of experience in similar sectors can be challenging.
The advantages of an outsourced CIO
For businesses in this situation, an alternative is to outsource the CIO function. This approach has a few notable advantages over hiring an in-house CIO.
- It’s less expensive as you usually only pay for the time when you use their services, rather than a salary.
- It can be easier and much less expensive to switch who fulfils the CIO function when you outsource. It’s also usually possible to switch to another CIO Service without changing your outsourcing provider if the problems were a result of a poor culture fit. This saves the hassle of beginning a CIO search again and eliminates resulting HR issues.
- You can hire individual CIOs from many providers for specialist projects. Allowing you to not rely on a single individual having every skill required for every project you want to undertake.
- An outsourcing provider offering a CIO Service often has many CIOs who can work together or combine their knowledge to provide you with a solution. Essentially giving you the expertise of multiple CIOs for the price of one.
There are some disadvantages to consider, such as only having part-time availability. But, since the CIO role is strategic, they’re not typically required at the drop of a hat. So it’s unlikely to have a significant impact.
For a growing business, the benefits of outsourcing the CIO function far outweigh the negatives. It’s an effective way of gaining an expert to assist with the IT side of the business, without the traditional costs and HR headaches.
The benefits of IT outsourcing can give you a great advantage over the competition.
In an increasingly competitive business environment, having a competitive edge is vital to helping your business to survive and grow. The benefits of IT outsourcing can be vast. Outsourcing your IT to an outside provider is one way to gain this edge and here’s how it can help you…
1. Outsourced IT support can improve business focus
No growing or fledgling business can have an expert in every area, and seasoned IT professionals can be expensive. The benefits of IT outsourcing are huge for a growing business, especially as they can lack the resources needed for a dedicated internal IT team. It, therefore, makes sense to outsource certain functions to a company that can focus specifically on that area.
Not only does that give you the same level of service as an internal team would, but it also lets you keep your current internal staff focused on achieving your business goals and doing what your business does best.
2. You have access to experienced professionals
Because outsourced IT teams work with multiple clients, they have a greater range of experience with a greater range of IT systems. This means that they’re more likely to be able to address your specific needs and requirements, as they’ll have the experience.
This can also mean that if you outsource your IT support, the support analysts will be able to solve issues faster because they won’t need to do as much preliminary research and troubleshooting as someone who hasn’t encountered the problem before would. This reduces the average length of a ticket time and means you experience less IT downtime.
3. Helps you manage your budget
The cost of hiring and training a single dedicated employee easily outstrips the price of outsourcing. And in a growing business, hiring any employee can be a risk if they turn out to be a poor fit or under-qualified. With the high salaries of well qualified IT specialists, these risks are amplified even more.
Choosing to outsource your IT needs instead means you have more options to choose from regarding how you get your IT support, enabling you to be more flexible with your budget. This leaves you open to investing more in system upgrades, delivering increased business performance and improved security systems to keep you safe from the multitude of cyber-threats out there.
4. Address any issues rapidly
Employing a dedicated support engineer for dealing with support tickets will mean that they’re stretched thin across your business. This can result in long waits for simple fixes, even longer waits for big issues and backlogs of issues whenever that employee is off sick or on holiday.
You get access to multiple highly qualified and experienced support specialists if you choose to outsource. You’ll be able to provide solutions to many simultaneous issues and reduce the amount of time lost to under-maintained IT. This will in turn let you focus more on your business and reduce the chance of costly downtime.
5. Reduces downtime
Having an IT support team on hand means problems can be resolved faster and employees can return to work sooner. This means less time is spent dealing with technical issues and more time is spent on the tasks which deliver value for your business.
A high-quality outsourced IT provider is also able to identify larger issues that could cause an outage or technical problem in the future and suggest ways to solve it. This lets you prevent or avoid expensive periods of downtime that can damage both your profits and your image.
6. The benefits of IT outsourcing allow you to be more competitive
Outsourcing your IT lets you get the advice and assistance that larger firms have, but at a price suitable for a growing one. This allows you to compete with other businesses in your field by giving you access to the technology and support that they utilise. Additionally, with access to a service that market leaders use, you’ll be able to elevate yourself above the direct competitors in your field.
7. Provides 24x7x365 monitoring
It’s not feasible to expect your single IT manager to monitor every single aspect of your IT environment 24/7, 365 days of the year. But if you choose a quality IT support provider they’ll have access to the resources needed to do this. Not only that but they’ll also have the expertise needed to spot any potential issues and resolve them before downtime occurs.
8. Works proactively, not reactively
Many internal IT teams deliver a reactive service. Only broken things get fixed. Although this may keep a business running, things shouldn’t be left to break down in the first place. One of the biggest benefits of IT outsourcing is that forward-thinking outsourced IT providers offer proactive support where they identify potential issues, and implement suitable solutions before a major technical failure occurs, saving you time and money.
9. You bypass lengthy training & you save money
Delegating aspects of the workload will see a cost benefit. Outsourcing allows you to avoid the often large monetary and time costs associated with training dedicated IT staff. This is because a good IT provider will hire experienced analysts and continue to train them further in their own time rather than on yours.
Additionally, by working with multiple clients, analysts can develop their skills and experience further and faster. Ensuring that you receive a constantly improving service.
10. Benefits of IT Outsourcing Minimises risks
Effective and easy access to your IT environment means greater business success. To address this, a good outsourced IT provider will keep your IT environment up to date. This includes taking full responsibility for verifying backups, pushing out patches, and keeping stock of inventory to minimise potential disruption.
The right outsourcing partner needs the capacity and expertise to proactively monitor your systems to prevent downtime and respond quickly to any issues.
Choosing to outsource your IT also reduces the risk of making a poor technology investment, as you will always have technical expertise on hand to assist you with major projects.
11. Your knowledge pool is bigger
When you hire an IT specialist you get the expertise of a single person with a single level of skills. When you hire a support team, you get access to multiple analysts with various levels of expertise in multiple areas. So, you end up with access to a greater pool of knowledge at a more cost-effective rate.
Furthermore, the Service Desk Manager can ensure that the analyst with the most relevant experience is assigned to each ticket. Reducing the time taken to solve issues, so you run faster.
12. The benefits of IT Outsourcing increases efficiency
Through outsourcing, you can reduce the time spent on the little things and focus more on the big picture. Employees can spend less time trying to fix IT by themselves, technical issues can be resolved faster and expert advice can be given on IT infrastructure problems. This means you have more time on your core business activities which support your growth and success.
In conclusion
A critical function like IT being in the hands of an external company can seem risky, but as there are many benefits provided by outsourcing. There’s no reason to not consider it for your growing business.
Question
“Coronavirus has had a significant impact on my business, and I need to find ways to protect our profit margins without harming the business longer-term. Our IT systems definitely helped us stay up and running during the lockdown, so I know I can’t really cut spending dramatically but is there a way I can use our systems and technology more effectively, in terms of helping revenue or margin in the short and mid-term?” – Managing Director.
Answer
A common mistake businesses make is to think about IT purely as a cost. This typically happens when businesses think of IT purely as hardware – laptops, desktops, printers, servers, phone systems – and the software that runs on it. While these are important parts, if you’re really looking to improve margin with IT then you need to move beyond a basic product-focused mindset.
Instead, you need to start thinking about IT holistically, in the context of your entire business operation. There will hardly be an area that is not affected by IT in some way, so there’s definitely an opportunity for you to utilise systems and technology to improve company profit margins.
Digital transformation has focused organisations on new opportunities and made technology that was once only affordable to larger enterprises widely accessible. Alongside traditional margin improvement strategies, such as outsourcing and external cost reduction, digital transformation has the power to improve operational efficiency and optimise costs. However, it cannot be achieved simply by purchasing all the latest digital tools and IT solutions.
How to create a margin improvement strategy
In the current economic climate, it is understandable why margin improvement is top of mind. But, before you rush to invest in new IT solutions, it is important to identify what is not working first.
Data is the key to making margin improvements. Review your departmental KPIs, expense reports, your budgets, and current sales. Talk to your employees, understand their day-to-day activities and the challenges in their role. Are you neglecting IT equipment refresh cycles? Are employees spending too much time on repetitive administrative duties? Is it difficult to access data and business information? Are your systems – and departments – siloed and not talking to each other?
Assessing the current state of your business will allow you to understand shortcomings and help you decide where to direct your efforts. Once you’ve found the gaps, you need to assess the potential impact of each one to create an effective plan to address them. You may not even need to make any new IT investments right now; you already have huge potential for improvement in your systems, you just need to investigate.
Where can you use IT to improve company profit margins?
IT holds so many possibilities to improve company profit margins, but below are just a few examples:
Use IT to Increase Production Velocity
The shorter the time from order to delivery (of product or service), the lower the overheads per unit produced. Evaluate your process to see if there are ways you can speed up the process. Can you use IT solutions to automate, template or pre-do any of the steps? Are there any steps which could be removed or streamlined further? Are there any recurring problems or blockers which need to be addressed? If you’re dependant on a supply chain, is there a way to use IT to notify you of potential issues (e.g., stock shortages, 3rd party lead-times, demand increases) ahead of time, so you can rectify before it causes real problems?
Use IT to Increase Customer Retention
Attrition costs money. You need to ensure that your customers not only stay with your business but remain happy and continue to purchase. A CRM system ensures that all relevant customer information is stored in a central location, which can be accessed by relevant Customer Service team, Sales or Account Management reps. You can use this information to ensure communication is more relevant, accurate and frequent, thereby providing a better customer experience and increase the likelihood of upsells and cross-sells.
A centralised portal of information also allows any member of the team to pick up communications, say a rep leaves, is on holiday or ill, allowing for a smooth experience for the client. If you build in automation and reporting to ensure service levels are client expectations are met you will make significant inroads in retention.
Use IT to Automate Administrative Duties
Administration is a necessary part of any business, but it’s often time-consuming, repetitive and, sometimes low value. Automated workflows can reduce the burden on employees and allow them to focus on higher-value activities. Some tasks you could consider automating include responding to customer queries, collecting customer data, scheduling appointments, generating quotes, invoices and proposals, and debt collection. If you actually map out and review your core processes and procedures the like candidates for automation should become clear. I would recommend seeking advice from an IT consultant with a systems analysis specialism about where automation could be deployed and where it would have the greatest effect.
Use IT to Identify & Reduce Wastage
Is quality an issue on some of your products or services? Are you buying leads that your sales team are not following up with? Are you investing in pay-per-click ads that are not generating interest? Are expensive staff spending too much time on administrative work? Data can help you pinpoint these areas of waste and allow you to cut unnecessary spend – which you can then invest in the right areas.
What other potential results could you achieve?
- Improved Efficiency: When time-consuming, repetitive, low-value processes are automated, the workflow becomes faster and allows the entire business to become more efficient.
- A Better Customer Experience: More accurate, frequent, and relevant client communications help improve the customer experience, thereby increasing retention. Customers are more likely to remain with the business, make further purchases and recommend you to others.
- More Informed Decision Making: With access to more and better-quality data, you can make the right decisions that will really drive the business forward. You know what actions drive a return and what doesn’t, you can direct effort and spend to the right areas.
- Better Resource Allocation: With repetitive but necessary tasks automated it will free up your employees to spend time on more high-value tasks such as account management, project management and business improvement.
- Improved Market Penetration: With improved efficiency and better decision making, the market penetration process becomes easier, resulting in customer base growth, increased customer satisfaction and greater profits.
- Easier Project Management: Tracking time spent and how long tasks take will help you manage customer projects more effectively. You can assign resources more effectively and bill customers more accurately for work completed.
A Final Note of Caution
The restrictions of the pandemic have proved just how vital IT systems are to business operations. While in a downturn it is tempting to slash all spend to the bone to protect those margins, this can cause significant harm in the long run. The extra margin you are looking for is already in the business, you just need to make the improvements to dig it out. If you are unsure where to start, then an audit or an independent review from an IT consultant is a good place to start. Yes, it will require some investment, but this one-off ‘purchase’ will show you where to find the hidden value you need to improve company profit margins.
Plus, with IDSN-based telephony now a legacy product and due to be taken out of service in 2025, it makes sense to invest now and future-proof your business.
However, as with the roll-out of any new system, there are technical considerations to bear in mind to ensure the transition to a VoIP phone system is as smooth as possible with minimal disruption and risk to the business.
Preparing to upgrade to a VoIP phone system
1. Is your connectivity suitable to run voice?
To ensure business-grade call quality, your internet circuit needs to have a guaranteed level of performance. Normal DSL broadband circuits will not be suitable for voice as there’s no guarantee of quality. If there’s a surge in network traffic, voice packets can drop or arrive all at once, making it difficult to understand the call and providing a poor experience for both parties on the line.
One alternative is a DSL circuit with performance SLAs designed specifically for voice. However, these cannot be used to also carry normal data traffic – for that you need a separate data internet circuit. Instead, a better option would be an ethernet circuit which can provide suitable performance SLAs. If configured correctly for quality of service, an ethernet circuit can also prioritise voice traffic over normal data, making it suitable for simultaneous use.
2. How long will it take to install your new phone system?
Installing a new phone system can take longer than anticipated. From preparing the hardware and configuring the phone system, through to integrating with the LAN network and porting the number, there are many different elements to consider. Determine how long it will take to install and when you want the new system in by so you can create a comprehensive project plan.
If you’re installing a new phone system as the result of an office move, you should start planning as soon as you have your move date. It’s vital that you leave adequate time for installing and testing the new system, particularly if your business relies on the ability to make calls in order to operate.
3. How will you communicate the change to employees?
Installing new hardware and changing handsets can not only disrupt operations, but it may also affect company culture. Employees may need to adjust to new handsets and feature, or even new ways of working if you’re moving away from physical desk phones to softphone applications instead.
With any new system roll-out, it’s important to engage employees from the start. When staff feel informed it typically makes the process much smoother and increases adoption rate. With phone systems being such a vital line of communication, you should have a suitable training plan in place. If employees are confident using the features, they’ll embrace the technology fully, ensuring a professional image of the business is presented and providing a better experience for anyone who calls in.
4. Does your disaster recovery plan include telephony?
It’s important not to forget about your disaster recovery plan when moving to a new phone system. While the available features and functionality of cloud-based phone systems can increase availability, you still need to be prepared and able to react to worst-case scenarios. Ensure you’re able to answer questions like:
- What happens if the phone lines go down or there’s a power cut?
- What happens if the system goes down?
- Where will calls be routing
- What impact will downtime have on the business? What are acceptable levels?
Support for phone system upgrades
Choosing and deploying a new phone system is a significant undertaking, but the wrong decision can put your business at risk.
If you want to ensure you’re making the right investment and your phone system will meet your business requirements, then a managed telephony service is a good option.
At QuoStar, we can work with mid-market businesses to determine their requirements in order the select the most suitable platform. We can also manage the installation or upgrade of your phone system and provide ongoing monitoring and maintenance to ensure it continues to deliver for your business.
IT project management is a key part of business success but it has never been an easy task. CIOs can frequently find themselves juggling cost, time constraints and new technologies, and more often than not this can be the case across multiple simultaneous projects.
While no two projects are exactly the same, they can often suffer from the same teething problems.
1. Being unclear about the goals
It’s important that everyone involved understands their role, responsibilities and deliverables, so don’t underestimate the importance of a kick-off meeting. This should include all the key stakeholders and will help to define and set expectations. If all stakeholders are on board, they will focus their energy towards project completion rather than finger-pointing and complaining they were never consulted on the project outcomes.
You shouldn’t only evaluate your goals at the start of a project. As a project progresses, additional goals or outcomes may creep into the work – resulting in the infamous problem of scope creep. A CIO should take these additional goals, consider if the value they add is worth the additional project resources needed and make a decision on whether to include them into the project’s scope.
Even if an idea is not incorporated into the project due to detracting too many resources from the original project’s goals, it can be made into a separate project which is conducted later on.
2. Focusing solely on the project as one whole piece
While it’s good to see the bigger picture, focusing on the project solely in this way can make it seem overwhelming or unachievable. Instead, you should break the project down into small pieces and assign each one to the most appropriate individual. This will help to make the team feel more comfortable and confident as they successfully accomplish each task.
3. No prioritisation
When you have IT projects running concurrently sometimes team members may end up spending too much time on a lower value project whilst a higher priority one starts to slip. Clear and continual communication is important throughout the lifecycle of each project so everyone involved knows which tasks should take priority and when the priorities have changed. Being upfront can save a lot of potential headaches and hassle further down the line.
4. Little or irregular communication
While every CIO knows that communication is a fundamental part of successful project management, it can be all too easy to forget to set aside time for team meetings or to update key stakeholders. It is important to not only set aside time for regular meetings but to also establish a format for these meeting. Ensure the right people are attending the right meetings at the right time. Having too many people involved can slow things down. Instead you should have key people from each project area attend, reporting on progress and updates. They can feedback to other team members.
5. Not using project management tools
It’s important to use project management tools so you can ensure the project is on track to meet the deadline. There are many tools available which give a good visual representation of a project and its progression
6. Failure to adjust
Even with careful planning and an established strategy, things do go wrong. It’s important not to let the “fear of failure” take over when a project goes downhill. Instead focus on creating a culture of transparent and truthful reporting, which will provide key stakeholders with the information they need for timely decision making. In this scenario, if a strategically important project were to go wrong, the business will be able to set it back on the path to success by adjusting the budget, resources or delivery expectations in line with the information provided by reporting.
7. No delegation
With multiple projects running at once it’s almost impossible for one person to try and stay on top of everything. CIOs need to know how to delegate and ask the right questions of their project managers.
Tackling IT project management issues
For some companies, it may be beneficial to outsource the project management function. It’s also a good idea for businesses lacking project management experience or have cash flow constraints.
External project managers can bring a level of objectivity to the role which can be highly valuable. It can also be cost-effective. You can hire someone with the right experience for a specific project rather than a full-time resource.