Speaking to Out-Law.com at the inaugural Cyber Security Awards in London, Bryan Littlefair said CISOs must act as an "enabler" of digital innovation within their organisations whilst ensuring customer data and other important information is secure. Working towards those goals, CISOs are essentially tasked with the broader aim of "brand preservation", Littlefair, winner of 'CISO of the year' at the awards, said.
"If you boil the jobs down of [IT security professionals] they are ultimately tasked with protecting the brand," Littlefair said.
Littlefair moved from being CISO at Vodafone to Aviva earlier this year. The biggest difference between the two roles is the additional regulatory obligations that have to be considered which Aviva is subject to, he said, although "the commonality" is in "the need to protect your customer data".
Despite the regulatory issues that have to be navigated and the potential penalties that could be imposed for an information security breach, Littlefair said that it is the commercial and reputational impact of a customer data breach that should be the greatest concern to businesses.
"A customer data breach erodes your trust model and that is the worst thing that can happen," Littlefair said. "If you have a breach, research suggests that 60% of your customers will think about moving and 30% actually do."
Littlefair said he is keen to use his understanding of and expertise in mobile apps, acquired from his time at Vodafone, to help develop secure digital services for Aviva. He said that Aviva has developed a digital strategy and has recognised that its interaction with customers must be via digital channels. To this end, the company has set up a "digital garage" – a distinct technology centre in London – to encourage the "cool kids" to "come up with the next generation of apps and products", Littlefair said.
"You cannot create something that is innovative without involving security in some way," he said.
Among the issues Aviva is considering as it develops its digital business is the issue of customer authentication, Littlefair said. He said that the challenge facing companies when developing slick new digital services is how they can "move away from archaic authentication" and find solutions that "allows customers to interact with you" whilst ensuring that "security is invisible" to those service users.
Aviva has a number of senior executives who all share "horizontal" responsibilities for information security, Littlefair said, including himself, the company's chief digital officer, chief information officer and head of marketing. Security is also a "vertical issue", Littlefair said, highlighting the importance of everyone in an organisation taking responsibility for data security, from board-level down.
To succeed in their role, CISOs must "understand what is happening across the business", he Littlefair said. He said CISOs "cannot just be a 'techie' any more".
"You have to be able to translate security into a language that people understand," Littlefair said.
Littlefair said that as well as addressing information security issues relevant to new customer-facing digital services, CISOs must address new digital trends in the workforce, such as 'bring your own device' (BYOD).
Littlefair said that whilst CISOs have "got to take a modern approach" to mobile working, a "balanced risk posture" is required. CISOs must understand the security threats facing their organisation, their own business' "risk tolerance" and the individual roles that people in the organisation perform when defining who should have access to systems and data and in what circumstances, he said.