With data breaches and serious cybersecurity incidents for businesses becoming ever-more common and persistent across an expanding attack surface, and wide-ranging legislative changes such as the European General Data Protection
Regulation (GDPR) being ushered in, it’s never been more important for organizations to take cybersecurity seriously.
It is in this climate that CyberProof attended the IT Security Analyst and CISO Forum in London, meeting with likeminded security professionals to discuss the issues that will come to define our industry in months and years to come.
Among the most interesting elements of the two-day event was a CISO panel discussion, featuring top CISOs from a broad range of industries including money transfer services, technology manufacturing and pharmaceutical production, titled “What is good security anyway? CISOs top tips on what makes a company secure”. The panel presented an interesting array of insights from people at the top of the security infrastructure at globally recognised brands.
A single theme which ran through the debates was the ability to properly educate and inform board members and senior staff about cybersecurity threats. “Educating your seniors that [in terms of security] failure could be an option is vital. A company can be in a bad situation in terms of security, but if it responds appropriately in terms of leadership, planning and PR, it’s entirely possible to pull back from a serious incident. “A bad security person during an incident I can deal with; a bad PR person I cannot” one CISO suggested, adding that security teams should “celebrate near misses - even the ones that were pure luck, as opposed to skill. This level of honesty will help your seniors to appreciate the work you’re doing, and to open a dialogue”.
The CISOs also waxed lyrical on ways to foster an appropriate culture, with warnings to ‘expect a breach’ dominating. “If you expect a breach, you can plan for it, which allows you to then manage expectations”, one of the CISO panel suggested. “If you can get the culture of a company right, you can teach your security teams that it is okay to screw up – people screw up all the time; You’ll get more points for telling someone you’ve screwed up than for hiding something”.
The panel also allowed themselves a (very small!) moan, suggesting the metrics used to measure security were in many instances a waste of time. “Security metrics are difficult, as it’s harder to provide a negative than a positive”, one said, with another adding that “the total number of incidents metric, I hate. It can be adjusted by taking people out of the SOC, with a negative impact on security. Concentrate instead of measuring things you can control, and speaking in their language. The board are unlikely to be wowed by your technical prowess!”
All in all, the panel provided invaluable information for attendees on the inner workings of security teams at the highest level; How to convey complex ideas and information appropriately, and how to respond when things go wrong. As security becomes more and more crucial to everyday business function, these conversations become all the more vital.