Many years ago I went to the doctor with a weird arm. If I held my elbow and wrist just-so, it seemed to stop the blood supply going to my fingers. Nothing too dramatic, but worth getting checked out. I was referred to the local hospital where the specialist remarked that he had never seen anything like it and he was keen to investigate further.
“I should add that you’ve been referred to the wrong department. This is gastroenterology. We don’t really do arms. But we’d really like to take your case on.”
I’m reminded of this because it’s been a long time since we expected anyone with a specialist knowledge in a particular area of medicine to have transferrable skills to another area. No matter how much I respect the dedication to their profession I didn’t really want the gut people poking around in my arm, just like if I’m looking for some brain surgery I’m probably not going to ask a rocket scientist.
The same is increasingly true for the various fields of so-called ‘IT’. We need our ‘general practitioners’ right up to the level of CIO. But just as we don’t expect them also to be coders, we shouldn’t expect them to be experts in cyber-security.
The cyber-threat landscape is growing. Malicious actors are at every level from script kiddies to nation states. Ransomware, cryptomining, drive-bys, DDOS, phishing, spear-phishing, whaling – the list goes on and on. Do you remember when IT security meant turning off Office macros and not accepting floppy disks from strangers?
And now we expect the people who have had to absorb the explosion of knowledge that came with infrastructure changes (either chosen for sensible strategic reasons or foisted upon them) to also be experts in the security threats associated with every one of those choices plus everything else that’s going on.
It’s no disrespect to anyone from the ‘the IT guy’ to the CIO says that someone with substantial experience in Information Security should be there to provide insight, strategic direction and a voice that senior management and the board will listen to.
Let’s take one example – phishing.
We all know the C-level execs who insist on having admin rights on their laptops because they might need to install extra productivity software out of normal IT support hours. Who really need to run Excel macros. Who haven’t updated their OS since 2015 because they can’t risk losing those years of work that they haven’t backed up to the secure server.
Even in the simplest kind of attack these are the people whose word will be believed when an employee gets an email asking them to click on a link, make a bank transfer, send a bunch of confidential files to this person really quickly. Don’t question my authority. Here’s the email address.
Does an organisation really need a CISO just to tick the other execs off for not making sure their anti-virus software is up-to-date?
Well, no, it shouldn’t, but then who the heck else is in a position to speak to people at their level.
These days every single person and every piece of technology they use is an attack vector and the more senior position they hold, the bigger the target and the consequences.
And it is the role of the CISO to make sure that an IT Security Policy exists. That it is relevant and aligned with the overall business strategy and business priorities. That it is not just some other document that’s put in the new employee welcome pack and never read.
Of course, there’s so much more that a CISO can bring to an organisation.
Let me give you some thought points. Little situations that may light a spark of recognition (though obviously exaggerated for dramatic effect!)
The “Information Security Incident Management Policy” that was painstaking created and tested 4 years ago and hasn’t been used or updated since you moved offices and changed from making artificial hips to writing Cryptocurrency trading software.
The cyber-security audit that you aren’t expecting despite the fact that it’s stated quite clearly as a requirement in Section 23.12.4 (Page 97) of the contract that the sales team signed three months ago to get the new client to send over that first purchase order.
The GDPR audit you carried out when you realised that half your customers were EU citizens, and which you now realise hasn’t been updated since May 2018 even though you’ve been gathering data ever since and meanwhile have moved all your data to a cloud-service provider in a country that your tech-lead thinks ends in ‘-bia’.
These aren’t examples of data breaches, or evidence of hacking, or any other cyber-security nightmare situation. But if something were to happen and you didn’t have an incident plan, you couldn’t say what data had been lost, and an audit revealed you were in breach of contract, the consequences for your reputation and even your ability to operate could be severe.
When you don’t have someone leading on Information Security at CISO or equivalent level then you can end up with too many people each doing a little bit or one person not quite doing enough, with no strategic overview, no sign-off and no buy-in. It just becomes a tick-box exercise which won’t provide effective cyber-attack prevention and won’t wash with the insurers if the worst happens.
The information you have, where it is stored, how it is being transmitted and protected is no longer a thing for lowly tech people to be solely responsible for.
And let’s be clear, ‘information’ isn’t just the data you have on your servers. It doesn’t have to be the blueprints for your new miracle widget that hackers are trying to get hold of, or even your bank details. It could be details of your supply chain, copies of your invoices, even how you communicate with your colleagues. It could even be what you sound like on the phone.
Realise that bringing in a CISO does not have to mean creating a new full-time c-level position at great expense. Wouldn’t it be better to bring in the experience and insight of someone who is continually learning in different environments?
These days CISO “on-demand” means this kind of industry experience can be brought in in a way that fits your organisational needs. To shape the security strategy, build the appropriate skills within the IT team, manage security within projects or to solve particular immediate challenges. All this at considerably less cost than a full-time hire.
An ongoing CISO presence, even if in a part-time role, keeps cyber-security where it should be, in the minds of every employee at every level.
Want to learn more about managing your cybersecurity resources to best minimize your risk posture? Get in touch with us. We are here to help.