Wieger van der Meulen, IT Security Manager, Leaseweb Global, stresses that all businesses need an approach which sees security as a leadership issue and discusses how the role of the CISO is evolving to align with this change.
For many organisations, being completely honest about their approach to security would be to admit they could do a lot more. This is despite the fact that the security risks we all face are more numerous and dangerous than ever.
According to the Department for Digital, Culture, Media and Sport, only 31 per cent of UK businesses have undertaken a cyber risk assessment in the last 12 months. Although this is a 7 per cent improvement from 2018, the findings would suggest that UK businesses are still not placing sufficient emphasis on their cyber security approach and processes.
The question is, why? Cyber security is not dependent on the limitations of affordable software or services. Similarly, companies can’t credibly claim that they are unaware of its importance or how serious it can be if they fall victim to a criminal attack.
That leaves only a few possibilities to explain why security still isn’t higher up the agenda in businesses of all sizes, and one of the most likely is mindset. If businesses view cyber security as a distant risk, or just an IT issue, the natural effect is that there’s no sense of urgency and procrastination becomes the default, long-term security strategy.
What’s needed – for businesses of all sizes – is an approach which sees security as a leadership issue, backed by the attitude that it’s as fundamental as any other key business activity, whether it’s sales and recruitment or tax and cashflow. It’s all about mindset.
Also of interest: How can CISOs be better leaders?
Security is a leadership role
Look at this way; in the last 10-15 years the role of the Chief Information Officer (CIO) has changed dramatically because businesses realised they needed IT leadership. Back then, the CIO was often viewed as someone who set up laptops and network cables, whereas today they are seen as a key digital enabler for business, playing a crucial role in many organisations.
In a similar way, the individual in charge of security has often been regarded as someone with a purely technical skillset, without much understanding of the business, keeping hackers at bay.
But at an enterprise level, many organisations now also see they need cyber security leadership. This increasingly means the appointment of a Chief Information Security Officer (CISO), who has direct responsibility for cyber security from the top down.
CISOs are risk-oriented, with a strong sense of what the organisation needs in terms of controls, people and technology in order to enhance decision making, while engaging in discussions on multiple levels regarding risk appetite and risk tolerance. The technical element is still there, but it is not as prevalent as it used to be.
For everyone else, where company size or budget doesn’t warrant that kind of role, a CISO mindset is all about recognising that standards need to be better, and that there are ways to get there even without a specialist in the job.
It starts by viewing cyber security as a core business issue – not a tech problem, and organisations can create this kind of focus either appointing internally (a CISO) or by outsourcing to a specialist partner.
Also of interest: Podcast - Spotting the Insider Threat with Lisa Forte
Working with a Security as a Service (SECaaS) provider is increasingly common, and they typically offer a wide range of services, ranging from standard protection to bespoke strategies to secure every element of IT infrastructure. This approach is ideal for organisations that don’t have internal IT teams big enough to focus fully on security or want to raise the level of protection by working with specialists.
The best SECaaS providers combine technical expertise with really strong customer service to build trust between themselves and their customers. This is a crucial element of an outsourced relationship that is supposed to protect some of the most important elements of any modern business. By definition, they should have a CISO mindset which prioritises correctly and allocates resources to offer the best levels of protection for the available budget.
Irrespective of how the role is fulfilled, the job of the IT security leader is to ensure management understands the challenges they face and translate technical issues into business priorities. IT security leadership must be based on experience, a track record of excellence, and being able to support the business if a security breach occurs. Businesses can apply those ideas equally to the appointment of a CISO or a third-party provider.
On a practical level, a CISO mindset is about assessing risk, the scope for disruption and being able to establish a process for addressing the most urgent issues. This has to be constantly reviewed to take into account the shifting nature of cyber security and the constantly changing risks every organisation faces.
It’s an essential adaptation that every business needs to adopt. Only by viewing cyber security as a positive investment, rather than an expense with little or no return, can organisations avoid the expense and disruption that a security breach almost inevitably causes.