Leadership: Bridging the Gap

In this article Glenn Fitton, ITC’s Head of Cyber Advisory and CISO, explores the influence of leadership, why there is no “silver-bullet” for information security and the simple things organisations can do to better their security. 

Glenn has represented information security at a senior level for several organisations across numerous complex industries including construction, FMCG, and pharmaceuticals.

He is a Certified Information Systems Security Professional (CISSP) with a master’s degree in Applied Project Management from Northumbria University.

He has built his information security career on a foundation of technical and project management focused roles from his earlier career history.

Now, Head of Cyber Advisory and providing CISO as a service, Glenn visits a variety of organisations, each presenting their own unique challenges and at varying stages of their cyber security journey.

Are there any common business roadblocks that prevent security practices from being implemented?

The most challenging type of environment to influence better information security controls in is an organisation that lacks agility. Organisations typically understand the need to adapt rapidly to the market and other macro-environmental changes, but somehow still see the information security challenge as a static and merely theoretical risk.

Often, a shocking news headline about a breach at a peer company causes a knee-jerk reaction from leaders, who then seek a “silver-bullet” which they can invest in, implement and then move on from worrying about the threat.

Unfortunately, there is no “silver-bullet” when it comes to information security, because the threat landscape is continuously changing. Threat actors (attackers) such as nation states, organised crime and hacktivists are inventing new technologies and techniques to breach organisational defences.

The first step to changing this culture of neglecting new risks is to understand that cyber security is a complex, real and moving target. Once the organisation has curbed that assumption, security professionals need to establish a process and method that enables senior leaders to understand the current risks on a regular basis.

Security professionals need to master the art of translating these complex issues to senior leaders, who may not understand some of the technical concepts (because they shouldn’t need to).

How do you convey to the board the message that with regards to cyber security you can minimise the risk, but you are never going to be 100 percent secure?

It can be daunting for many information security professionals to communicate directly with a board to answer the question, “how secure are we?”

Often, we approach the answer in one of two ways:

  1. We paint the best picture possible to show you are adding value and avoid getting fired, or
  2. We detail a scary cyber world with hackers at every door in the hope the board will release additional funding to combat the issue. Both approaches are equally inefficient.

Whilst achieving absolute security is a great goal to have, the reality is that it’s largely unachievable; no business is risk free, and all businesses must consider and manage competitive risks, economic risks, legal risks, operational risks and many others. Information security is just another form of risk that organisations need to manage.

Before attempting to answer “how secure are we?” security professionals and organisational leaders need to have an open dialogue to define “how secure do we want to be?” We need to define the assets that are most important to the organisation (i.e. people, customer data, systems or propriety information).

Once we understand what we are trying to protect, we can pragmatically consider the levels of risk and the appropriate controls (and appropriate funding) to protect them.

In an information technology environment where personnel are taking on increasingly complex responsibilities, what do you think is the role of cyber security awareness training?

The core benefit of having an effective information security awareness training program is, of course, to reduce the likelihood and frequency of malpractice leading to a data breach or cyber event. Where available, face-to-face workshops or training sessions are most effective and help to bridge the gap between information security and the business itself.

When a face-to-face approach is used correctly, the information security awareness program evolves from a one-way message (from security professional to the business) to an open forum which allows both the business and information security to understand each other’s needs better. In this way, the business understands their information security responsibilities whilst having the opportunity to voice the concerns or challenges they may already be facing when trying to up hold these expectations.

The role of information security awareness, therefore, is to bridge the gap between information security and the wider business through establishing an open and direct communication channel.

Do you think legislation should mandate device manufacturers to meet minimum cyber security requirements to avoid an incident?

To reiterate the point made earlier, “there is no silver bullet” when it comes to information security. Legalisation, however, could be a huge contributor to establishing privacy and security by design.

Deciding to govern products with legalisation can make a real difference, if implemented correctly. For example, in 1983, the front seatbelt wearing regulations for drivers and passengers (both adult and children) came into force in the UK. Today, over 2,000 lives are saved every year by wearing a seatbelt. That’s because both the car manufactures and drivers better understand their responsibilities concerning seatbelts, which are enforced through legislative controls.

Manufacturers are increasingly building internet connectivity into their products, from refrigerators to doorbells and children’s toys. Technology companies now consider privacy and security in the very early stages of design. However, many manufacturers of IoT enabled devices are not considering security to the same degree.

Attackers are turning their attention to these easier targets and exploiting their weaknesses, to great success.

Security is everybody’s responsibility, so whilst organisations and users need to play their role in securing their own devices, manufacturers should build their IoT devices with security in mind.

The role of legalisation in the battle against cyber crime should be to provide guidance, support and enforcement regarding the secure manufacturing of these devices, ensuring that manufacturers uphold certain information security requirements.

Why do some CISOs use technology for its cool factor instead of for securing or enabling the business?

As budget holders, I’m sure at some point in our careers we can all consider ourselves guilty of implementing tools or technology that are aesthetically pleasing or provide the illusion of “security” whilst forgetting the original need.

Over the last five years the information security industry has seen a plethora of new services, tools, technologies and systems introduced to the market. These tools can fulfil very specific use cases such as “Vulnerability Scanning” or “Endpoint Firewalls”. However, some of these tools boast coverage of the entire information security requirement.

When you scour the market to look for information security products, it can be daunting to say the least. Information security professionals (especially CISOs) should have the confidence to take a step back and consider the fundamental requirements (“what am I trying to achieve?”).

Documenting your requirements should happen before any products are even considered. There are many techniques and templates available to help gather requirements at the start of a project and these should act as a blueprint for managing the scope as the project progresses.

In my experience, once the individual requirements are known and documented, a new tool or product may not be the answer. Often, a procedure change or reconfiguration of an existing system can turn out to be the most effective solution.

Where a new product is required, the requirement gathering exercise helps to drive better decision making when faced with an overwhelming amount of potential options.

What is the best way to foster an image of information security being there to help support the business rather than talking about raw technology?

Whilst the majority of security professionals genuinely care about supporting the organisation’s mission, we can sometimes lose our way. When stepping into new organisations, I’m often greeted with an unconscious stigma of “here is the person that is here to cap our creativity and put obstacles in the way of our projects”.

Whilst it is true that change can introduce new risks, when done properly, change is the only way we can start to achieve sustainable and secure practices. Regardless of which role we fill, department we work in or who we report to, most people want to do a good job. For security professionals, if the default answer to any slightly risky endeavour is “No”, the business will become disengaged and consider security as an obstacle.

Security professionals can (and should) influence a better relationship with the business by using the correct language from the start. For example, rather than stopping a project “because it’s too risky”, security professionals should explain the elements that concern them the most, ultimately working with the business to find a better alternative.

Furthermore, using the correct language can help rectify the assumption that information security is purely an IT or technology problem. It may seem we are over-emphasising the importance of semantics, but referring to information security as “Cyber security” or “IT Security” implies that we are talking about technology alone.