Why is it so hard to get Cyber Security right? #1 – The CISO

By Nils Solvang, Managing Partner.
Image curtesy of CloudTweaks.
Image curtesy of CloudTweaks.

Another CEO of a well-known brand is in the news. The company website has been hacked and the CEO is being pushed to explain why and how this happened, who could have done it and most importantly what is the impact on the business’ customers? There is probably no point discussing the total cost for the business at this point, that can only be calculated when the incident is fully understood and solved.

Away from the camera, there is another person who is facing some serious questions from the hard-pressed CEO. The business’ Cyber Security responsible, normally a Chief Information Security Officer (CISO) would be expected to ensure that the business did not get into this position.

How is it possible that a big, professional enterprise repeatedly gets into this situation? Can it really be that hard to get this right? By now, surely we should have CISO experts to prevent this kind of problem.

Well, let us be clear. To get Cyber Security right is very, very hard. There are so many aspects of this conundrum to consider and the pace of change in attack methods and technology is very high.

Attempting to explain the complexity, some commentators have looked at the numbers game, working out probabilities of a breach by analysing all possible attack profiles and corresponding defences. That is a great way of exposing some of the challenges of Cyber Security, but it is a bit like ignoring psychology when trying to win a Football match.

This series of posts takes a closer look at some softer considerations for successful Cyber Protection, namely Organisation and People, but also touches on Technology and Infrastructure.

Firstly, a look at the characteristics of a good CISO. The role compares to a Football referee in that everyone have strong views on how to do the job better – and are very vocal. If no one notices you, you are probably doing quite well. A lot of attention could mean poor communication or that wrong decisions were made. Either by introducing unexplained, disruptive Cyber Protection – or due to recurring serious breaches.

Many CISOs come with a strong technical background, which is obviously useful. However, the best footballers seldom make top referees. What you actually need from a good CISO is great communication skills and clear leadership. A clear communicator can describe and quantify the potential consequences of a security breach. Even better, secure security investment by linking improved security posture with increased revenue. A good leader can engage and motivate technical stakeholders to deliver the security programme of work.

Copyright 2016 John Klossner.  www.jklossner.com

A good Football referee would call on the two team’s captains to calm things down should a game get out of hand. The talk will only have effect if the referee is well respected and understand the roles the team captains are playing. Similarly, a CISO needs to show leadership, maintain a good relationship with his CIO/CTO and CFO. Understanding their priorities is vital in order to form an effective cross-functional coalition to develop and maintain a good security posture across the business.

If you are a North London Business based in Hertfordshire, Essex or Buckinghamshire and would like to meet up and aywhere from Finchley to Lechworth, St Albans to Ealing and have an informal chat over a coffee and discuss your cyber security concerns further, contact us now.

Covering North London, Bedford to High Wycombe, Camden, to Harrow, Barnet to Watford, CloudCIO are an independent, and vendor agnostic, Cloud IT consultancy, ready to help with your IT opportunities today!

Why is it so hard to get Cyber Security right? #1 – The CISO
Tagged on:         

Leave a Reply