CIOs also voiced concern about prioritising external threats over internal network vulnerability. As companies grow larger, deciding how and when to patch systems has become more art than science. In some sectors such as shipping and logistics, this can be a cumbersome process given the number of access points and connected devices. Steven Sim, Senior Manager, IT Security, PSA International, emphasised that even with automated patching solutions, shutting down systems (as is required with some patches) to complete the process is not a viable option. "As a far-flung operation with ports all over the world, it is a significant problem because we are not physically present to address potential network issues. Such internal vulnerabilities, if we don't patch in time, could expose our assets," he remarked.
"In the healthcare sector, many critical systems are interdependent and on call 24/7," observed Lim Soo Tong, CIO of Jurong Health. "Shutting down a system to patch is nearly impossible without impacting patient care. So there is a delicate balance to achieving this without hurting those who need our services."
For CIOs in all sectors, finding skilled personnel and funding to fulfil the objectives of their security frameworks has become a significant problem.
The personnel resource concerns were particularly acute in shipping and logistics because of the remote office locations. "Quite frankly, attracting right-skilled personnel has become a serious issue that is hampering on-going efforts to manage security risks," noted Adeline Tiang, Asst VP of Group Information Technology at PSA International.
But funding issues were noticeably more hopeful. Several CIOs expressed optimism that CFOs were now prioritising security investments. It was now a mainline budget item and discussed widely across all c-suite executives at the boardroom. Said Ms Ow Yuen Wan, MD, Group Technology & Operations/Information Security & T&O Assurance, United Overseas Bank, "There's been a lot of education on security and the threats we face in our bank so management is aware of what is happening. It's heartening that I don't have to spend too much time and effort explaining why it is costly to invest in security. If anything, the board often asks if I need more funds. It's a huge shift in the mindset that they recognise security as critical to business operations and survival."
Lack of Actionable Intel
Most of the participants suggested that more analytics to anticipate likely attacks and vulnerabilities had become more critical than ever. Many CIOs had extensive data logs of cyber intrusions but little insight to who and why they were being targeted. In particular, the information was coming from multiple sources thanks to numerous endpoint solutions in their comprehensive security infrastructure. The result is no single, unified threat analysis but lots of disparate information about threats.
Sign up for CIO Asia eNewsletters.