Securing the data – and our future
Tue 15 Apr 2014
Peter Ransom, the CIO of international charity Oxfam, has taken on the role of security manager while a colleague was recruited. Understanding the threats without and the risks within, it has been an eye opening experience.
“The thing is, our policy doesn’t quite cover this and as you are the acting Information Security Manager, we need you to make a decision. Better still, boss, can you review the policy to make the changes?”
Hmm. When I said I’d act as the InfoSec Manager whilst we found a replacement I thought I’d be babysitting the operation and not have to make changes to the policy. Luckily the new guy is just a couple of weeks away but even so the past couple of months haven’t been easy. What with increasing PCI compliance demands, several ‘”opportunities” to demonstrate the effectiveness of our systems and the odd signing-off on projects, I’ve certainly become aware of the complexity of a mixed approach to data security in our architecture.
Now you may not know much about us, so let me introduce Oxfam to you. We work in over 90 countries around the world and I have IT in about 60 of these. We have 5,500 employees across the world, 22,000 Volunteers, around 200 Offices, 700 shops and a couple of warehouses in the UK. I’m based in Oxford although I commute from London.
Why tell you this? Well, we are a decent-sized operation. We are also an INGO (International Non Government Organisation or International Charity, if you like) and much like other low margin operations we struggle to justify all spend on areas that aren’t very directly related to our primary objectives. That’s not to say it is underinvested, however IS Security is all about managing risk and that is something a humanitarian organisation is very comfortable with, just look where we operate.
I think I’m lucky in that my board recognises we live in a changing, somewhat dangerous world. After all, in many ways that’s why we exist. Nevertheless, justifying significant investment against unknown risks is an issue. Of course, I’ve tried to put the benefits in business terms, our favourite recently was savings in the Help Desk equated to 1200 goats a year! I’ve gone off topic a little because it was on my mind as the project team were looking at me. Moving to a model that allows cloud and on site hosting along with SaaS and IaaS has meant that all our policies had or have to be updated and our views also changed. Once you start, naturally you uncover more that is needed!
It’s not new, of course, and for some time now we have been successfully talking about keeping the data safe rather than securing systems. They do go hand in hand, though you can’t make changes overnight and for some systems you have to retire them. It’s the sheer complexity that means we now have a small team of security people, not all full time, however still we have significantly increased our spend on IT security since I have been at Oxfam. Some is due to the increasing threat types but I’d also have to say a lot is also down to the increasing number of different devices and the many ways our users can access and lose the information.
Where is all this leading? Not to a specific conclusion, more of an interim view. How we balance off the challenges of consumer devices entering our ecosystem along with the increasing complexity of threats coupled with the large number of system, is going to challenge even the best managed operations. There are many solutions and ways to achieve this but all will require significantly more investment of money, people and intellect.
Photo: Oxfam GB
