Roundtable: Dealing with the C-suite
At SC's latest roundtable, sponsored by Forcepoint, cyber-security professionals from a range of industries gathered to discuss how you deal with a problem like the c-suite and the infinite utility of fear.
A host of IT professionals convened at Central London's Sky Garden to talk about how they deal with their higher-ups
Thankfully, SC's most recent roundtable, was c-suite free. "Good, so I can be rude about the board", said Tony Collings OBE, a cyber-security veteran, chairman of the ECA group and our speaker.
The day's topic was the c-suite, the source of so many problems for those whose job it is to protect a company from today's cyber-threats.
Those problems, said Collings, stem from the fact that "most of the executives don't actually understand the relationship between the technology that underpins their business".
When that happens the law of unintended consequences can really start to raise its ugly head. Not too long ago, Collings was called to do a due diligence inspection on a middle eastern pipeline.
Collings asked how the pumping stations dotting the miles long pipeline were protected. He was referred to the accountants who said they protected them on an actuarial basis.
Commonly, said Collings, "there is a complete disconnect between the finance people" who do not look at business impact, especially when it comes to technology.
In the case of a breach, "people don't think this thing through from the very top, they think this is a technology problem", in fact, "this is a business problem".
Whether due to age or experience, c-suite executives often don't pay enough attention when it comes to cyber. It's a cultural problem as much as anything, said Collings, a problem of managers isolating what they deem to be an arcane technological problem from the broader business.
Collings doesn't think there's a holy grail, but what's clear is that something has to be done, to break down that barrier between technologists and managers.
If risk appetite is going to be any use at board level, said Collings, "It's going to have to be calculated."
When speaking to the board, the problems of cyber will have to be objectivised and translated into a language that board members understand. Cost, exposure and what a breach might do to the company's share price are all issues that executives might more easily digest, than a lack of AV or endpoint protection.
For one thing, regulators need to get tougher and make executive boards start listening to their CISOs. Some companies get off relatively lightly following major breaches.
As there are no really effective sanctions, were he a regulator, Collings would fine companies heavily and "if that breaks them, so be it".
But where does this responsibility lie within the organisation? Where does the buck stop when it comes to marrying technology to business risk?
Hans Stiles, head of IT at Chiltern Railway, told the roundtable, "The word that I find often missing is culture", the means by which a company inculcates a mindset of security among its staff.
Dai Davis, a self professed geek lawyer at Percy Crow Davis & Co, with a long history in tech, added, "Security is the new kid on the block [and] that culture of getting that software right is well developed now."
But in the organisations that use that software every day? Perhaps not so much. Neil Thacker, information security and strategy officer at Forcepoint and today's sponsor, put forward the idea that companies might want to start looking at security "from a risk management and asset management point of view".
Easier said than done; changing attitudes at the top and then getting that change to trickle all the way down to be bottom, will "be like shovelling fog in a stiff breeze," said Collings. Although, he added, "until people follow through on it as a culture, that's not going to change".
"For me," said Jamie Travis, head of information security at law firm Herbert Smith Freehills, "there's a distinction between behaviour at the board level and behaviour in implementation".
Fear, the room thought, might be a good way of bring the c-suite to heel.
In Stiles' industry, much of day to day operations are safety critical; "There's a risk of licences being revoked and people going to prison." At the very least, that keeps people honest.
In Nick Iannou's world, construction, the architects are suable for nearly a generation after work is completed. So personal responsibility is a very powerful influence.
In his capacity as head of IT at Ratcliffe Groves Partnership, an architecture firm, he finds himself trying to instil an air that everyone is responsible. He tells those above, and below him, "Yes, were spending money on technology solutions, but it's about you."
Davis put it plainly: "What actually motivates people to make sure they're compliant is the [risk of a] loss of a job."
Richard Miller was quick to remind the room that the board have to understand the IT problems that the organisation deals with. In his capacity as compliance manager at Bank of America, Merrill Lynch, when presenting to that board, the technology guys present problems with business information security officers to better objectify the often arcane problems of cyber.
One of the problem with education though, said Thacker, is that so commonly the same education is given to everyone, when in fact "education needs to be tailored for the position".
In many ways, said Collings, we are dealing with intangibles and when these are brought to the board, "they say come back to me when you have some quantifiable metrics".
In that case, it helps to have an ally on the board. The success stories, the cases where cyber-security has been taken more seriously within organisations, said Davis, happen when there's disruption on the board. Traditionally, accountants and money men become board directors. When you get an engineer on the board, said Davis, that's when you get change.