On April 22, 2021, Noord hosted a virtual boardroom in association with Tripwire. The event comprised an introduction by Gary Hibberd, The Professor of Communicating Cyber at the Cyberfort Group, and Glenn Tucker, Senior Client Director at Tripwire, followed by a discussion among senior IT professionals on the changing role of the CISO.
Opening of the session
Glenn Tucker gave a brief introduction to Tripwire. Every security incident starts with a trackable change, and Tripwire identifies such changes, helping customers return to compliance. The company is known for its file integrity monitoring, as well as its ‘back to basics’ security controls.
Gary Hibberd noted that through his extensive experience as a cyber consultant, he had encountered very similar challenges across several organisations, from data protection to security challenges, and had worked to help protect organisations, including from internal threats.
Reasons for attending and key challenges
Participants had a broad range of expertise, including risk and compliance, software engineering, digital connectivity, and security architecture.
There was recognition that a heavy reliance on remote working was bringing new challenges to the fore, which required new approaches. As one attendee put it, ‘the more technology we bring in, the more risk we bring in’. Another participant summed up the current landscape as a shift from cyber 1.0 to cyber 2.0 (i.e., moving from product-based to capability-based solutions). The point was also made that cyber is a community threat that necessitates a community response.
Business assumptions in the wake of the Covid-19 pandemic
Attendees reflected on the assumptions that they had made about how their organisation would cope during the pandemic, and whether these had proved to be correct or not.
Some were surprised about how swift and smooth the shift from office to remote working had been. One participant noted that had their organisation planned to switch to remote working, this would have involved 18 months’ worth of planning ordinarily, but change can happen incredibly quickly once risk and business appetite adjust.
However, another participant noted that scalability – and therefore business agility – had been an issue. A more surprising revelation was that many staff don’t like working from home, while other unforeseen factors included poor internet connections and inadequate equipment.
Business survival as business as usual
Gary noted that the illusion of CISOs being no-departments (as opposed to yes-departments) had been shattered in the wake of Covid-19, as departments had all been forced to pull in the same direction and budgets had suddenly been made available. This had shifted the perception of CISOs as blockers to enablers.
While there was agreement that Covid-19 had instilled a can-do attitude in organisations, one attendee noted that companies had perhaps actually too hastily in their response to the move to home working – and potentially with a disregard for the security consequences. In this regard, it was felt that companies had built up a certain amount of ‘security debt’.
The challenges of remote working
One attendee noted that explaining complex concepts over technology like Microsoft Teams had been challenging and that their organisation had initially jumped from system to system in search of the right technology.
Another problem was that in trying to be as flexible as possible and meet the demand for remote working, hasty decisions had been made, with certain protocols overlooked. Now, as organisations were retroactively trying to enhance security, employees were viewing these processes as hindrances.
The large-scale shift to remote working had also elevated risks that had already existed, albeit on a smaller scale. In this respect, the point was made that the world has changed, and companies are now soul-searching as to whether they have changed enough to meet it.
Dealing with security debt
One participant noted that security debt is a people problem rather than a technology problem. In other words, the technology is already there to support security, but leaders need to be brave enough to face up to the security issues within their organisations.
That said, one attendee noted that remote working reduced the chances of a cyber incident moving laterally across the network and that the proposed move to the blended office and home working would put the company in a weaker position.
Interestingly, the point was made that non-executives were now asking searching questions about security, and C suite professionals were being consulted more, which paved the way for a more open conversation about what good security looks like in a blended world.
Key governance mechanisms
Major considerations in this area were felt to be GDPR, data sovereignty and data regionalisation. The point was made that while companies can employ third parties to help manage their risk, this doesn’t remove the responsibility for implementing due diligence and best practice – with the idea raised that ‘you can’t outsource risk’.
Raising the profile of security
There was recognition that security can often be seen as a hindrance within an organisation, but by having early conversations with departments, security professionals could reposition themselves as accelerants instead. Moreover, this comes down to talking in terms that are well understood and carry more positive connotations. For example, as compliance exists to build trust, CISOs could talk about creating trusted companies rather than focusing on terminology which instils fear, such as law, regulations and responsibility.
Participants discussed a range of innovative ways that they have tried to make security less dry. One organisation was gamifying security by giving people security scores. Similarly, another had a phishing leader board where employees who had clicked on simulations of malicious emails were named and shamed, while one company had a coloured belt system, where employees were encouraged to come up with ideas to enhance security, ranked by degree of engagement.
Other ideas included storytelling (with the idea of cyber superheroes and villains to bring scenarios to life) and assassination by social media, where security departments can surprise individuals with information about them that they have found online to demonstrate how hackers leverage the information they obtain on individuals.
Fundamentally, there was consensus that tick-box exercises are ineffective in this area, and rather than employing technical talk, professionals need to talk in terms of the financial and reputational impact of security. Moreover, cybersecurity needs to be framed in terms of how it can add value to organisations.
Closing of the session
Summing up, Gary noted that good security professionals are ‘pessimistic optimists’, in that they recognize that bad things will happen but have the confidence to know that they will overcome them. The key to security is instilling a sense of collective responsibility, and involving people, technology and providers in an organisation’s strategy will enhance preparedness.
For his part, Glenn underscored that in a constantly evolving environment, security is never static. While companies may feel on top of their security today, this could all change tomorrow, so organisations must never stand still and must ensure that they are proactive rather than reactive.