In your role now, and the software industry more generally, what challenges, trends or security issues are you focusing on?

Ubisense is a prime example of security as an enabler – how developing an organisation’s security maturity is truly a competitive advantage.  We are a real-time location tracking software and hardware business, so we take physical space and make it three dimensional.

A large part of our client base is in the aerospace and automotive industry, and to be a key supplier to these industries it is a requirement that we are ISO 27001 accredited – our immediate focus is the transition over to the new ISO 2022 framework.

However, our position as a global leader also requires us to be strategic for our clients, we need to be heavily in the know about the threats and relationships between threat actors in order for us to provide the most appropriate security. Looking at the global context, and trends in the industry overall, geopolitical threats and third-party supply chains are key risks for us to consider.  We need to understand the global threat actors and the gangs they support – there is huge multi-fluidity that needs to be considered to predict where attacks are coming from, what the attackers’ purpose is and their intent.

Combined with that, the introduction of remote working also needs to be managed of course, as well as managing the perimeter infrastructure of offices. You need to know where your critical assets are so that you can produce high level mapping of your risk.

On a recent webinar we considered cyber risk and the best strategies for communicating to the board. How do you approach this?  

When it comes to risk we follow the ISO method, involving a heat map and qualitative and quantitative methodologies. Using this approach, we provide each risk with a 1 to 5 likelihood impact and then multiply that by risk appetite. This method does rely on subjective matter expertise and subjective views, so in addition to our annual review of risk scores, we also relate it back to monetary terms. Having a monetary scope allows us to truly understand the full nature of the impact, and allows us to take a more hybrid, more sophisticated approach to managing risk, and in terms that the board can understand.

Is there anything you’d like to see improve in the industry based on some of the challenges you’ve witnessed?

I’d like to see meaningful progression toward standardisation in cyber security. We don’t currently have any clear standardisation, and it’s certainly difficult because there are so many different areas and tiers to map. Some organisations have tried to address this in the past, such as the Cyber Council, but they haven’t been able to find a solution to the complexity of cyber security and the myriad of sub-fields.

For example, the role of a CISO, and the business’s requirements and expectations of the role, can be completely different depending on the organisation or industry. Some are far more technical e.g., within a small team, whereas others are more focused on risk management and leadership. I do think the role is changing, and now involves marketing, communications, and stakeholder relationship management. I report into our CFO, and as CISO I’ve been given full accountability and operational responsibility for infosec. This isn’t the same across the industry and I think there needs to be more standardisation to avoid confusion and to better enable the right person and skillset to lead security functions for what that business and team requires.

Do you have any advice or strategies for building a strong culture between development teams and security?

My main strategy has always been to listen. If you join an organisation where developers are operating in silos, with very little business support and a shoestring budget, organise a meeting with them and let them vent. This will help you to hear their perspective, understand their pain points, and from there you can work out how to remove any friction. A development team won’t want someone to come in and completely overhaul their processes, but a good team won’t want to be back-patching, and will understand that they can reduce their workload by working with security. Communication really is key, as is collaboration and pragmatism, so that you can work together to help both teams succeed, as well as the overall business. A good relationship with a software development team will enable you to bring in secure processes from the start.

I think security playbooks are really helpful as well, and I’ve rolled these out across the business, from developers and customer service to sales and senior stakeholders. You need to make sure security is fully integrated into all of your business processes and interactions with customers. Everyone needs to understand your security programme and how it translates into business practices, so that security is entrenched into the DNA of the business.

The best way to demonstrate that security is a business enabler is through revenue, as without security you wouldn’t be able to roll out your product or take customer orders. This awareness of the positive role of security has always helped in my experience in building a strong culture.

We’ve recently been discussing the balance between risk, innovation, and security in software. Do you find that there is ever any conflict between these areas within your role of CISO?

I’ve been very lucky to never have any conflict between innovation and security teams. In fact in my current role, it’s like kicking an open door! I work with a CTO who is big on security and a mature software development function, so there is a good balance. Due to the nature of our clients, security really is central to our business.

Sometimes there are external factors though, for example we had an issue recently relating to a particular manufacturing plant in Japan which resulted in a chip shortage. In that scenario we had to source alternative suppliers and quickly re-design our product, but we all worked together collaboratively to fulfil our orders.

What role do you think emerging technologies will play over the next few years in changing and shaping the security landscape?  

Similar to many in the industry, I think there are benefits but we should move forward with caution. At this point, I think we’ve already started to see how malicious actors can use AI. Chat GPT supposedly doesn’t have the capacity to deceive, but it does have certain answers and patterns. I also think there are serious question marks over the backend programming of AI, and in the case of ChatGPT we don’t have any public datasets available. We’ve seen open letters from the founder of Open AI calling for regulation and I would agree this is needed.

And finally, if you had one top tip for new CISOs for succeeding in their role, what would it be?

I think my top tip would be, if you don’t understand the business, you’ll be setting yourself up for failure. There are a variety of ways to develop and hone your understanding in this area – you could take a business course or an MBA, find a mentor within your own business, or undertake a leadership programme (there’s a good one by the Cyber Leadership Institute in Australia or SANS also has a leadership programme.) To be an effective CISO you need to truly understand the business that you are securing, so my one piece of advice would be to make sure you continue developing your overall business skills and learning from the wisdom and mistakes of everyone around you.  

‍

Thank you for your time today Mike!

You can hear more from Mike at the upcoming International Cyber Expo on 27th September at 10am - The Nine Fundamental Principles of Being A Security Practitioner.