Christopher Cope has been a cyber security and information security practitioner since 2002.
He is currently the Chief Information Security Officer for the National Nuclear Laboratory, an organisation which provides research and development and consultancy to the nuclear industry.
Prior to that he worked as a consultant, which followed on from service in the Royal Air Force, where he held a variety of cyber security and information assurance leadership roles in the UK and overseas.
The CISOs role is a very high pressure, high-stakes job. What is the right profile for this job?
The CISO role is a complex and constantly evolving one, which has a touch of the polymath about it. Within cyber security and information security there are a number of key and supporting themes. Technology is of course important but so too is the need to understand the management of risk, legal implications, supply chain assurance, physical and personnel security, business continuity, assurance, project management and general business awareness.
You may have begun your career in one of those areas, but to be an effective CISO you must get to grips with all of them; there is no hiding in a personal comfort zone. Given that many of these areas evolve rapidly, a CISO needs to have a hunger for continual education and a willingness to admit that there will be gaps in their knowledge. In today’s rapidly evolving business world, a CISO must always be able to prioritise, communicate and deploy the full range of soft skills needed in any leadership position. It also helps to have a hobby; we all need to sharpen the saw sometimes.
How important is it to have the CEO thinking that security matters?
Absolutely critical. If your CEO and other business leaders do not understand the importance of security to them, then success becomes almost impossible to achieve. You will always need resource and good will from the business to implement improvements.
Some people call for daily security drills and exercises, at all levels of an organisation to help reinforce defensive strategies. What are your thoughts on this?
I’m a big believer in ‘train hard, fight easy’. It’s a good motto for incident response and resilience. But there has to be some consideration on the business that such exercises will take. If one is working in an organisation which expects to be attacked frequently and has very low recovery time objectives, then the deployment of a dedicated response team with the time and space to exercise would be justifiable. However, many businesses do not have the same threat profile or a dedicated incident response team, so the need to exercise must be balanced against their other roles.
No response plan will work effectively if it is not reviewed and tested; the key is to find a level of exercising that you are comfortable with as an organisation.
The biggest threat to your institution is already inside the building. Studies show that 60% of cyber attacks come from inside the company. What are the key strategies to address this challenge?
Your staff is your greatest security asset and your biggest vulnerability. A well trained workforce can pick up on vulnerabilities and issues and help you to close the gaps. Conversely, a poorly trained or motivated workforce will become a target for exploitation. For that reason, security education must be at the top of the agenda for every CISO and security manager in general.
However, security education and awareness can’t be a one size fits all strategy, or one which is based purely on delivering hard metrics. Education should be provided on arrival to the organisation and staff must be reminded of the threat and their responsibilities periodically. They must also be communicated to in a way which is relevant to them; it’s rare that one message or medium will work for all. I tend to work closely with corporate communications teams who know how to target messages in order to achieve best effect.
When the business is steaming along and wants to introduce new products or services, how do you make sure that security is plugged in?
The rate of change and business transformation can be a very real security threat. Keeping up with developments requires time and skills to evaluate the new services or products. Being informed of a launch date the day before is a terrible place to be and usually ends in frustration for someone, so it’s far better for security teams to be involved early.
You’ve been in the industry for 17 years. What are some of the biggest changes you’ve seen in terms not only of threat, but how cyber security is viewed in an organisation?
The change has been monumental. When I started out, IT and security rarely spoke to each other and cyber security was given a very low priority. I also spent a lot of time dealing within enquires relating to faxes and typewriter ribbons; these days not so much. Technology has marched on and is rapidly changed in how we operate. As we have grown more reliant on information and operational technology however, and coupled with numerous high profile incidents, there has become a clear need to take this matter seriously. Certainly business leaders are now expecting to be informed of their cyber security risks, and are asking hard questions, and legislation like GDPR has helped to focus organisations on the potential impact in the event of an incident.
In terms of threat, we have seen the attackers tactics change over time – the advent of APTs, for example. But the basic premise of ‘find a vulnerability then exploit it’ remains the same. A real area of concern though would be the advent of cyber physical and hybrid attacks. There are clear risks here to organisations and wider society that will require a joined up approach to remediate.
Cyber security and information assurance is still a new specialisation, but one that is having to mature rapidly to meet the evolving threat. I hope that we can promote this specialisation as an exciting career, dispel some of the perceptional myths and encourage people into it earlier, particularly women, who are woefully under-represented.