The First Global Cybersecurity Observatory

Innovation - Insight - Leadership

Leave a Comment

The CIA of Information and Cyber Security

Author: Christopher Cope, Head of the Cyber Security Assurance Service, UK Home Office

The CIA of Information and Cyber Security - A few years ago, I attended a cyber security conference. One of the presenters asked the delegates to raise their hands if they regarded themselves as security practitioners. We all raised our hands. Then he asked us to raise our hands if we regarded ourselves as ‘businessmen or women’. Suddenly, in a room of over a hundred people, of varying seniority, only a small number of hands were raised. Why? Does this matter?

Well, yes it does if one considers that one of the biggest cyber security issues today is engagement. Recent research of the boardroom view on cyber security is confusing. Some executives believe they are poorly informed and have little confidence in the controls utilised by their organisation. Some feel very well informed and are absolutely confident.

Conversely, a third of CISOs leave an organisation because of poor senior management engagement and support. This is a problem and its one that I believe is caused by poor business skills but can be addressed by the application of CIA skills – collaboration, influence and articulation.

Collaboration

Many cyber security practitioners have a wide variety of technical skills; yet so many lack good interpersonal skills. We can also spend a lot of time discussing whether cyber security sits best in the IT department, or in a security/compliance/risk team, but this misses a key point.

An organisation exists to deliver an output; it is supported in those endeavours by a variety of specialists performing other roles, including security. Yet how often do we as cyber security professionals spend time with those whose responsibility is to deliver on that key mission? Do we understand what they are trying to achieve? Do we understand why there are frustrations with provided equipment that result in less secure workarounds? Are leaders from the wider organisation assisting in the development of risk assessments – do they own risk?

I always make the point that the earlier I am involved, the better I can advise a project, reducing time, effort, frustration and money. Yet do we allocate time to catch up when a project has gone live? We are all busy, but if we are chasing around fixing problems caused by people within the organisation, that time can be better spent in engagement and understanding why the problem has arisen. It is far more effective to fix the root cause of a problem than to repeatedly try to manage the symptoms. It can also provide a cheaper option than buying another piece of shiny equipment.

If you work closely with the organisation you will also build up trust. Security is not always welcomed; we can be seen as blockers, the people who always say ‘no’. This is not a healthy relationship. Our role is to support the wider business. We may of course have concerns over activities they may wish to undertake, but let’s not make the mistake of believing that our concerns over security are more important than their concerns over other risks and issues.

We need to put our security threats and risks into context and recognise that business leaders also have legitimate interests. Most of all we have to be flexible. We may have our preferred ways of doing business, preferred technology and processes, but that doesn’t mean there aren’t alternatives, and if the alternative is providing adequate security and the wider business like it, we must be wise to that. Many in the cyber security profession will move jobs, often between industries. It’s good that we take our experience with us, but let’s not forget that we don’t have all the answers. Discuss options with the business and ensure that you aren’t imposing controls that unduly hinder them. It’s important that we remember that people do business with people. We have to be seen and we have to be approachable if we are going to make a positive impact.

Influence

How can you influence from the bottom up? Should a CISO sit on the board? Both are valid questions but it’s important to realise that seniority alone is not going to guarantee influence within an organisation. Influence is closely linked to your own credibility. So let’s ask ourselves a question: are we acting like key members of the business? More importantly, do we regard ourselves as part of the wider organisation? Have we fully bought into the culture? Do we share the organisation’s aims and objectives? Are we actively trying to support them? An organisation isn’t going to promote a CISO to the board who is not ready to operate at that level. Equally, a cyber security practitioner who continually cries ‘wolf’, offers little flexibility and is perceived to be unhelpful, is not going to influence, regardless of their position in the formal hierarchy. Think about how you dress, your language and tone – what impression are you giving? Can you be taken seriously?

This of course does not mean that we should leave our integrity at the door and not highlight key risks, particularly where there are very significant impacts. We have to maintain the moral courage to speak truth to power; but there are times to recognise that there are better options than digging our heels in, and we should keep our ‘political capital’ for those occasions where it is really needed. Be seen as a problem solver, rather than a problem; someone who the rest of the organisation can do business with.

Articulation

How often do you look at cyber security training and consider that it’s trying to reach too many types of people to be truly effective? It’s not just awareness training that suffers from this problem. I listen to cyber security colleagues who try to talk to senior management, other organisation leaders and non-technical people as if they are part of the IT department. Not everyone will understand the term, or the importance of the information you are trying to impart. Stop and consider ‘so what’? What is the key message that I want the person to whom I am talking to take away from this conversation? How can I put this into their language and make it important to them?

The board are interested in profit and loss, reputational damage and anything that harms operational output. Project managers are keen to complete on time and budget. Operational managers want to deliver a service without too many glitches along the way. Few, if any of them, will care about the latest ransomware attack; they will care about how it affects them. Understand what ‘language’ your audience understands and use that. Keep your communications concise and avoid technical jargon. Find out what your audience care about and factor that into your impact assessment.

There will undoubtedly be junior staff who will only need to speak in technical terms to their peers, but as one progresses into management, the need to engage with the wider organisation becomes an increasingly important part of the role. A CISO is not a hands-on technical role. The CISO must understand and direct cyber security operations and be seen as competent by those who work for them and in the wider organisation. However, their technical skills alone are not sufficient to make them successful. The key to success or failure is inter-personal skills.

Clearly, we need technical people who can design and implement cyber security controls, but cyber security does not sit in isolation. We have to engage with the business; we have to communicate with the business; we have to support the business. Without them we don’t have a job. There is no point bemoaning the lack of senior stakeholder engagement if we don’t speak their language and fail to portray ourselves professionally.

Maybe, for this year’s development plan we should focus on business skills rather than technical? Maybe when recruiting security roles, particularly managerial, we emphasise strong business skills rather than the current list of acronyms? Or perhaps we can seek to recruit people who have good business skills and teach them cyber security – not every role requires hands on deep technical knowledge.

The cyber security industry is still in its infancy and there is room for development in many areas and significantly in professionalisation. Regardless of what the future holds, the one constant is that we will have to support and engage with the businesses that pay our wages. Now is absolutely the right time to improve how we do that.

Christopher Cope has been a cyber security and information assurance practitioner since 2002. He is currently the Head of the Cyber Security Assurance Service at the UK Home Office. Prior to this role, he has worked in various government roles within cyber security and information assurance, including several leadership roles, and has been employed as a consultant.

Follow Us

The CIA of Information and Cyber Security

LATEST INFOGRAPHICS - MEMBERS

Image is not available
Image is not available
Image is not available
Image is not available
previous arrow
next arrow
Slider

Latest Product Videos

Image is not available
Image is not available
Image is not available
previous arrow
next arrow
Slider

Our Latest Infographics

Image is not available
Image is not available
Image is not available
Image is not available
Image is not available
previous arrow
next arrow
Slider

Latest Video Infographics

Image is not available
Image is not available
Image is not available
previous arrow
next arrow
Slider

All Infographics

Cybersecurity Observatory Members Infographics

Cybersecurity Infographics Members Please find … Download...

All Product Videos

Cybersecurity Product Videos Our selection of short cybersecurity product … Download...

All Our Infographics

Cybersecurity Infographics We are creating high … Download...

All Video Infographics

Cybersecurity Observatory - Video Infographics We … Download...

Contact Us

Who We Are

Our Mission

Our Values

Legal Notice

Terms of Service

Privacy Policy

Cookie Policy

Acknowledgements

Collaboration

Follow Us

Responsible Disclosure

Hall of Thanks

Hall of Fame

 
>