Why is it so hard to get Cyber Security right?

Assistant Referee On Soccer FieldIn the first of a series of posts, Flint Cyber Security expert Nils Sovang looks at why it is so difficult for the CISO to keep a company’s network safe.

Another CEO of a well-known brand is in the news. The company website has been hacked and the CEO is being pushed to explain why and how this happened, who could have done it and – most importantly – what the impact is on the business’ customers. There is probably no point even discussing the total cost to the business at this point, as this can only be calculated when the incident is fully understood and resolved.

Away from the camera, there is another person who is facing some serious questions from the hard-pressed CEO. The person responsible for the business’ Cyber Security, normally a Chief Information Security Officer (CISO), would be expected to ensure that the business did not get into this position.

How is it possible that big, professional enterprises repeatedly gets into this situation? Can it really be that hard to get this right? By now, surely we should have CISO experts to prevent this kind of problem.

Well, let’s be clear. To get Cyber Security right is very, very hard. There are so many aspects to consider and the pace of change in attack methods and technology is very high.

This is the first of a series of posts taking a closer look at some of the factors that need to be taken into consideration to achieve successful Cyber Protection: ‘soft’ factors such as the organisation and people, as well as technology and infrastructure.

Attempting to explain the complexity, some commentators have played the numbers game, working out the probability of a breach by analysing all possible attack profiles and corresponding defences. This is a great way of exposing some of the challenges of Cyber Security, but it is a bit like ignoring psychology when trying to win a football match.

If you look at the characteristics needed for a good CISO, the role is comparable to that of a football referee in that everyone has strong views on how to do the job better – and they are very vocal. If no one notices you, you are probably doing quite well. A lot of attention could mean poor communication or that wrong decisions were made, either by introducing unexplained, disruptive methods of Cyber Protection, or due to recurring serious breaches.

Many CISOs come with a strong technical background, which is obviously useful. However, just as the best footballers seldom make top referees, what you actually need from a good CISO is great communication skills and clear leadership. A clear communicator can describe and quantify the potential consequences of a security breach. Even better, secure security investment by linking improved security posture with increased revenue. A good leader can engage and motivate technical stakeholders to deliver the security programme of work.

A good football referee would call on the two team’s captains to calm things down should a game get out of hand. His talk will only have effect if the referee is well respected and understands the roles the team captains are playing. Similarly, a CISO needs to show leadership, maintain a good relationship with his CIO/CTO and CFO. Understanding their priorities is vital in order to form an effective cross-functional coalition to develop and maintain a good security posture across the business.

Contact us to find out how we can help your business build a robust and practicable Cyber Security strategy.