On Tuesday 12th November 2013 Chartwell hosted a breakfast briefing at the Royal Automobile Club with the former Head of the UK’s Defence Cyber Security Programme, Major General Jonathan Shaw CB CBE (Rtd).
The discussion focused on managing the new risks of cyber security to business and citizens and how best to leverage resources to secure business and organisations. Here are a few points we learned from the event.
1. It’s about managing human risk as much as securing technological systems.
Cybersecurity gives the wrong emphasis to today’s challenge. The internet was designed to keep us connected and spread information, not to keep information secure and hidden. The challenge is better seen as a campaign of risk management- balancing the value of sharing data with the risk of a leak.
In these terms cyber security becomes as much about business decisions, staffing, structure and morality as it does about technology.
2. The digital age is a board level issue, don’t delegate to your CTO
Whilst technologists will provide new defensive technologies to counter new threats organisational structure is key to deploy these assets effectively. In a campaign of risk, decisions from the board on how to structure a business as as vital for information security as technical expertise.
Leaders implementing information security don’t need to be technologists but do need to have a good grasp of the threats and risks they face. Senior figures in corporations are too often protected from the pace of technological change by a layer of admin assistance that insulates them from daily usage of new systems.
Corporations need to be honest about gaps in their understanding and then work to create a system that leverages the expertise from a young generation of ‘digital natives’ to mix with leadership from senior figures. As such this problem is not one for to be delegated away to the CTO ‘to fix’ but rather embraced as a strategic imperative requiring board level leadership. Similarly restraint can be a virtue in not over-engineering security, the technical question “what can we do” should be balanced against the human “what should we do”, a choice that calls on senior leadership.
3. The security regime should be adapted and proportionate to the threat
A security response should prioritise assets, measure threats and deploying resources accordingly. Over securing a system that isn’t threatened might affect the ease of use and reduce it’s utility and impact productivity right across an organisation.
In measuring threats, consideration needs to be given to human risks as well as the technical ones. The more you invest in technical security the more hackers will target the human links in the system. Thus threat mitigation thus broadens into questions of training and the loyalty of those with access.
4. Your CIO should be your best communicator not your best tech expert.
Chief Information Officers (CIOs) take on a very important role today. In a digital landscape they often hold responsibility for the key assets of a company but they need not be the best technologist. Rather they should be excellent communicators and leaders of change with a role to communicate new and emerging risks to the board, who can then respond to the leadership questions it begs.