Dave Roberts joined Radius Payment Solutions as Chief Information Officer in 2014.
As CIO, Dave is responsible for the IT Development, Security and Support teams at the Group’s headquarters in Crewe, the Manchester based Technology Centre, the Wrexham based Telematics IT team and the IT Telecoms team in Chiswick. Under Dave’s leadership, Radius Payment Solutions is excelling on delivering advanced industry-leading technology that differentiates the organisation in the fuel card, telematics and telecoms markets.
Dave has been working in the IT Industry since 1997, with previous director experience across global IT teams. He is committed to delivering transformational IT services and driving forward programmes of change. Dave participates in a number of IT Advisory Boards and was appointed as a Fellow of BCS, The Chartered Institute for IT in 2015. Dave has a Bachelor of Science degree in Business Information Systems and a Master of Business Administration degree.
How do you articulate the three-pronged approach of people, processes and technology?
Failure to comply with regulation or compliance will often be a result of a breakdown in people, process, or technology. In order to maintain a secure and compliant environment you need to ensure these three components are delivered appropriately and aligned to the overall organisational security strategy. It is important that employees are informed about the different techniques deployed by hackers and know how to react when they identify something suspicious. Investing in technology and implementing appropriate policies will help to mitigate and defend against many threats and risks but these could potentially be by-passed using social engineering techniques. People are often considered to be the weakest link in the security defences of a business, which is why staff education and testing of contingency plans is imperative.
There are also situations where there could be malicious intent to either do damage to or expose company information via an insider attack. There are numerous steps that can be taken to limit the exposure to such key information using least privilege techniques and monitoring unusual behaviour to alert upon potential data leaks. It is never possible to eliminate all IT security risks but using the three-pronged approach helps to mitigate against threats and minimises the impact of any exploits.
What should corporate boards know about conducting information security?
Corporate Boards should be educated on the risks that the organisation is exposed to in terms of Information Security. There has been extensive press coverage of examples of where cybersecurity has failed and the associated financial impact it can have on organisations. It is therefore important that Corporate Boards should have oversight of the organisational risk register and understand the mitigation strategies being deployed or tolerated.
It is important for a Board to plan ahead and discuss the response plan to an incident or breach, either internally or by a third-party partner involving organisational data. There should be contingencies in place to address a variety of incidents involving Information Security. The response plans should be cross-functional dealing not only with the technical exposure but also the marketing and communication activities that support the overall incident.
The Corporate Board can help support and underpin the culture of the business and drive the appropriate behaviours needed to safeguard the organisation. If the cost of IT Security seems high, then it needs to be compared to the cost of a cyber breach and associated financial and reputational impact it can have on a business.
What advice do you have for security leaders?
Security leaders need to understand the culture of a business and ensure they can be seen as an enabler. Security can help to drive innovation and create competitive advantage for a business, helping to differentiate them in the markets in which they operate.
It is important for all IT leaders to look outside of their organisations and expand their networks. Building relationships can help to identify new opportunities or avoid the mistakes that others have already encountered. It can also be rewarding to help and mentor peers who would benefit from your own experiences and knowledge.
Challenging the status quo and ensuring you can keep abreast of industry trends, technologies or tools that can support your strategy is essential. It is healthy to engage with a variety of suppliers and vendors over a period of time, as this will help you to gain a variety of perspectives as part of a programme of continuous improvement and innovation.
Security leaders should build good relationships with key stakeholders across the business. These relationships will help the senior executives to learn more about the organisational security risks and likewise it will also provide the security leader with greater insight to the commercial challenges and the execution of the overall corporate objectives.
The biggest threat to your institution is already inside the building. Studies show that 60 percent of cyber-attacks come from inside the company. What are the key strategies to address this challenge?
Internal threats could either come from accidental or malicious intent but either way these vectors can by-pass the perimeter security layer. It is therefore important to have a blended approach that relies on people, processes and technology.
Restricting system access based on role-based security and utilising the principle of least privilege will ensure that there is appropriate damage limitation in the event of such a breach. There should also be a complex password policy enforced, to reduce the opportunity of the insider attack.
Security awareness training is critical for all staff and underpinned by policies and procedures. Employees with a better understanding of the threats will be able to help identify issues and provide an additional layer of protection against cyber threats.
There are advanced tools that can be used proactively to monitor and alert any suspicious behaviour from within the internal network. Running regular penetration and vulnerability tests will help to detect where weak or malicious code might exist. These tools and techniques can help limit the exposure of an attack and reduce the associated consequences.
Should the systems be destructively compromised in a cyber-attack, it will be important that a Business Continuity Plan can be invoked and if necessary, a rapid and least disruptive recovery process initiated. Backups need to be secure, complete and recoverable in a timely manner. It is therefore important that recovery simulations are conducted on a periodic basis.
How can CISOs balance security and innovation?
At a very high level you could consider innovation to be either incremental, disruptive or breakthrough. There is a close relationship between improvement and innovation but of course, not all improvements are innovative. Innovation in Security can often help to reduce overhead and operating costs within a business through continuous improvement, helping to drive best security practice.
It should not be a zero-sum game between security and innovation. Security by design should be applied at all levels of the organisation, including software development and software procurement. Security can be a differentiator and provide new and existing customers with the reassurance of working with a supplier that recognises the importance of data integrity and security. ISO27001 is the benchmark standard that can help demonstrate the level of maturity around Information Security. Having this level of accreditation can provide a business with a competitive advantage and allow them to expand and grow into new markets and increase the profitability of the business.
You’ve been in the industry for over 20 years. What are some of the biggest changes you’ve seen in terms not only of threats, but also how cybersecurity is viewed in an organisation?
Cybersecurity has significantly changed and become more sophisticated over recent years. IT Security is now a Board level agenda item, with plenty of high-profile media coverage of the business impact that cyber-attacks can have on an organisation.
Cyber-attacks have previously been focused on malware, where the impact was more about disrupting domestic home users and businesses, but was considered as an annoyance rather than an organisational threat. Hacking is now far more professionally focused and often has state sponsorship. The result is that hackers are now very focused on financial extortion and identification theft. State sponsored hacking is not considered unusual and there are many examples of corporate secrets and sensitive documents being leaked in what could be considered a new dawn of cold war tactics.
Cyber defences have become more sophisticated to handle the extent of new threat vectors but it’s a continual game of ‘cat and mouse’ between the black, white and even grey hat hackers.
The result is that Cybersecurity is now more important than ever and should be considered by every organisation as an essential hygiene factor when running a business.