A member of the 2017 CIO 100, cyber security has risen on the agenda for AEG and Jones, who had recently appointed a new security director when we met at the start of the summer. Jones noted that while physical and operational security had always been incredibly important for the organisation, as AEG increased its scale it had perhaps been slower to keep up with some elements of cyber security best practice.
"From an information security point of view, I think partly because we're a private company and partly because we've grown rapidly, we probably didn't have some of the more enterprise things that a business of our size should have had in place," Jones said.
"We had a new CIO join the global organisation a year ago and he identified quite quickly that there was a gap in our operation that we didn't have any real resource in information security. Also at the same time we were identifying this as a potential challenge as well.
"We're quite a lean business, so to have invested in information security is a clear sign that everyone really takes it seriously."
Jones said that the new information security director and team were providing a health check to make sure the correct technological practices were happening, while helping with more high-level policies, procedures and strategic business security elements.
With the enforcement of EU General Data Protection Regulations approaching in May 2018, Jones said that regulatory compliance would also be an important focus over the next year.
Getting ready for GDPR is a hot topic among Jones and his CIO peers. His biggest concerns relate to the clarity of guidelines and interpretation of the regulators, although with a significant business in Germany where privacy regulations are significantly more strict Jones is confident AEG will not fall foul.
"The reality is probably that many organisations aren't anywhere near where they should be," he said. "I think one of the big challenges with GDPR is there's probably quite a big lack of clarity about actually what the regulations will really mean in day-to-day life.
"We've got complexity, we've got businesses in three European countries. And of course the benefit of GDPR is that all those businesses will then be conforming to one common set of standards. The reality of course is it won't be like that because each regulator will interpret things slightly differently.
"To a certain extent we're already dealing with some of the GDPR themes in Germany, because Germany's just been ahead of the game on this one, particularly with things like marketing consent.
"There's quite a lot of due diligence to be done in most businesses. So it's definitely a focus for us, and there's a little joint working group between the information security director, myself and a couple of key people from our legal team in Europe as well."
Sign up for Computerworld eNewsletters.