Is there anything you’d like to see improve in the industry based on some of the challenges you’ve witnessed?
I’d like to see meaningful progression toward standardisation in cyber security. We don’t currently have any clear standardisation, and it’s certainly difficult because there are so many different areas and tiers to map. Some organisations have tried to address this in the past, such as the Cyber Council, but they haven’t been able to find a solution to the complexity of cyber security and the myriad of sub-fields.
For example, the role of a CISO, and the business’s requirements and expectations of the role, can be completely different depending on the organisation or industry. Some are far more technical e.g., within a small team, whereas others are more focused on risk management and leadership. I do think the role is changing, and now involves marketing, communications, and stakeholder relationship management. I report into our CFO, and as CISO I’ve been given full accountability and operational responsibility for infosec. This isn’t the same across the industry and I think there needs to be more standardisation to avoid confusion and to better enable the right person and skillset to lead security functions for what that business and team requires.
Do you have any advice or strategies for building a strong culture between development teams and security?
My main strategy has always been to listen. If you join an organisation where developers are operating in silos, with very little business support and a shoestring budget, organise a meeting with them and let them vent. This will help you to hear their perspective, understand their pain points, and from there you can work out how to remove any friction. A development team won’t want someone to come in and completely overhaul their processes, but a good team won’t want to be back-patching, and will understand that they can reduce their workload by working with security. Communication really is key, as is collaboration and pragmatism, so that you can work together to help both teams succeed, as well as the overall business. A good relationship with a software development team will enable you to bring in secure processes from the start.
I think security playbooks are really helpful as well, and I’ve rolled these out across the business, from developers and customer service to sales and senior stakeholders. You need to make sure security is fully integrated into all of your business processes and interactions with customers. Everyone needs to understand your security programme and how it translates into business practices, so that security is entrenched into the DNA of the business.
The best way to demonstrate that security is a business enabler is through revenue, as without security you wouldn’t be able to roll out your product or take customer orders. This awareness of the positive role of security has always helped in my experience in building a strong culture.