At a recent Industry event discussing security, a question was rasised as to who needs to take ownership of security issues, the comment was made that it needs to be
“someone senior enough to care, but junior enough to know what they are talking about”
This summarises a major issue in the cyber security industry.
Security is a deeply complex issue, balancing threat, risk, business objectives, technology, process and people.
Senior business people tend to know about business objectives, and how to offset / manage business risks. When it comes to security risk, they are not experts, so need to rely on and trust information provided by the security experts. Sadly when these two people meet they talk a completely different language, creating confusion rather than understanding of the issues. The outcome often leads to the senior person overlooking the risk or dealing with it in an inappropriate or non-optimal way.
The good news is the industry is starting to see a set of CISO’s* that first and foremost understand the business. I cite two examples:
- CISO from a drinks company:
“My job is to make sure the brewery is able to produce beer; if that process stops we lose money”
- CISO from a train company:
“My job is to make sure the trains continue to run on time and do not bump into each other”
In both cases they then define their role as assessing the security risks to that business process (SCADA attacks for example), then put risk mitigation strategies in place to make sure the business process does not fail.
As security professionals, we need to encourage this and make sure we can translate security issues into their language.
I wonder if the NatWest CISO see’s his job as “ensuring customers can get money out of their accounts”!?! (see this blog, about why I saw this as a security issue.)
* CISO – Chief Information Security Officer.