I have been in the IT industry for nearly 20 years with over half of that being in security.
I have worked across many business sectors but heavily in Financial Services and enjoy guiding businesses through the security journey taking them from nothing or the tick box operation, and transforming security into an effective business driver that adds value to the business and delivers real security benefits.
How could we address the perception of cybersecurity holding back the business?
That’s a hard perception to address. Traditionally the security function has been seen as the “department of No!” because poor security teams will state what cannot be done and walk away, whereas what they should be doing is understanding what they business wants to achieve and offer the guidance required to achieve that objective in a way that also matches the risk profile of the business. Ultimately anything can be done, it’s just a case of identifying what security needs to support the business with in order to do it in the best way that doesn’t expose the business to unnecessary or unacceptable risk.
Are there any key phrases or terms that security executives should use when talking to the C-suite about the business?
When speaking to the C-Suite I often think about what I shouldn’t say first.
Too many CISOs fall back on driving buy-in for security with FUD (Fear, Uncertainty and Doubt) and that can have a place in the conversation but it has to be measured and not sensationalist. Generally, the message the C-suite wants to understand is how the security program is supporting the business, ranging from increasing customer attraction and retention to company reputation and what is going on from a security and regulatory position, which is improving how the business is viewed in the market place.
Relating to how security is driving business innovation and adoption of new technologies which improve end user perception are also important.
How do you make sure you know what new projects are on the road map and that security is baked-in from the process side?
Put simply this is about integration with the business and networking. Too many security functionals lock themselves away in an office and behave like a clandestine department. To be effective the security teams should be speaking with everyone in the business and the CISO should be talking with the heads of every department on a regular cadence and should be acting as an SME for them to ensure they understand risks at an early stage of every project. We are all familiar with the concept of privacy by design thanks to GDPR, but security by design should be an innate feature of every business.
How can security executives help the C-suite better understand cybersecurity?
Talking to the C-Suite is not easy. As security people we are required to and accustomed to speaking a very different language to most other people in the business. This isn’t a bad thing. It’s the language of our trade, in the same way most other professions have their own terminologies and acronyms which are natural to the people who use them and foreign to security people.
The key to getting the C-suite to understand security better is actually quite simple: if we as security professionals use common language and are willing to explain in simple terms what we are talking about, the audience will be able to grasp what we are talking about. Many CISOs fear that people will find the explanation patronising but I think it’s better to explain clearly in simple language (even getting up and drawing diagrams on a whiteboard if needed) and be understood than to use a string of complex industry specific terms which are lost on the audience along with the message you are trying to convey.
What advice do you have for security leaders?
The best piece of advice I can give is to be approachable. If you can have an ongoing dialogue with the business at all levels, people will be comfortable talking to you and you will find out about the issues faster, which lets you step into the role of an SME and guide the business before things get bad.
In an information technology environment where personnel are taking on increasingly complex responsibilities, what do you think is the role of cybersecurity awareness training?
Awareness training is vital to any business. In a world where risks and regulations change on an ongoing basis and at a speed which can be quite frankly scary, there is an expectation on all employees to adapt and adjust to these changes and awareness is how we communicate these expectations to them. As an industry we need to make sure that we are doing this in an effective way. The days of once a year 30-minute training courses are done, I’m afraid. The awareness needs to be continuous and relevant, andengaging. Short, high-quality messages delivered in a way that keeps people’s attention is what works best. Standing up and talking to the company at town halls, using online awareness training that also builds on gamification can also deliver the key messages you need people to understand in a way which engages the audience without sending them to sleep.
Unless security is integrated into the business at all levels it will not be effective, which means engaging every person, no matter what their role, to make sure they are part of the security team.