IT leaders admit their biggest security mistakes

A panel of IT leaders at Computing's recent Enterprise Security and Risk Management Live conference discuss their biggest security failings

A panel of IT leaders admitted their biggest security failings, including missing weaknesses in their supply chain, and failing to keep up with evolutions in security tools.

The panel discussed the issue at Computing's recent Enterprise Security & Risk Management Live conference in Central London.

Earlier, the same panel said that security recruitment is hard not because the relevant skills aren't available, but because recruiters look for the wrong traits and qualifications.

"We were guilty of letting our security toolset get stale, and not keeping up with changes," admitted Arshid Bashir, CISO at the Department for Transport.

"We also didn't sell the right message about moving to cloud. There was this assumption that cloud would be easy, and whilst it is secure, we assumed it was secure enough for us and it wasn't.

"So we went back to the board and said 'yes we moved to cloud, but there's lots more we need to do to protect ourselves and understand the risks we have'. We're 90 per cent cloud now, and 10 per cent residual on premises," he added.

Michael Barry, head of IT risk and compliance at Gallagher Global Brokerage UK spoke about the need to assess the security of the organisation's supply chain.

"We're not massive adopters of cloud, but many of our suppliers are. When we conduct due diligence of our suppliers they send us details of their cloud providers, but they completely miss the weaknesses within their software and databases. We find they need educating around there," said Barry.

Laura Jones, senior risk analyst cyber security at the Financial Times said her biggest mistake was failing to manage upwards.

"For me it was failing to manage upwards in the sense that management can often expect the world, and create a culture where people are afraid of getting thing wrong, so they spend all their time saying no there are no risks.

"Sometimes you need to listen to the pesimists. Maybe they're pessimists beacuse they understand the risks."

Carlo Petrini, IT telecommunications coordinator at Allianz sounded a positive note about risks and mistakes.

"We don't talk about mistakes in IT seucrity at Allianz, we talk about opportunities," he said.

Another panel at the event warned the industry to stop blaming users for security mistakes.