This business is not about cyber security, it is about risk management.
Speaking at the SC Magazine Total Security Conference, Major General Jonathan Shaw, former assistant chief of defence staff at the Ministry of Defence, said that talking about 'cyber' and use of the word switches people's attention off, and despite all living in the digital age, 'people in charge of policy do not understand cyber space'.
He said: “We are living in digital age and it is a real issue for everyone, and what makes it an issue for everyone is mass, speed and access to technology; and everyone is dependant whether they like it or not. Cyber space is the latest medium to communicate; it all happens there and if you look at the nature of conflict, there is a particular relevance.”
He went on to talk about the concept of cyber war, which he said he was 'not true', and said that a better term is competition and at an inter-state level it is not war in the classic sense, it is about a mass of information that is deeply subversive.
“Cyber space is as driven by public sector as government,” he said. “Cyber space is a game for everyone and progress made by the commercial sector and people like you, and this is a real problem for governments.
“The digital age can worry you or appeal to you as an opportunity. There is a lot of hysteria in society as there is an imbalance; cyber space is happening so fast as we cannot keep up, but responses are subversive as organisations run from the top down and older people don't understand the dynamics and there is a gap in comprehension that we really need to plug.”
Shaw said that the reason government doesn't lead on security is because they only 'ask the questions they know the answer to, so it exposes the lack of knowledge'.
“There is nothing secure about cyber space – talk cyber insecurity and never be safe, so it is risk management,” he said.
He pointed at the various security conferences around the world, and asked what CEO's did in response, and suspected that it was put on the doorstep of the CIO and CISO.
He said: “Get to grips with full implications and how you encourage them to take a different view Don't talk about cyber and about information, we live in information age and we live in a knowledge economy and it is a key asset – I say the CIO is the most important post in a business as this requires a institutional change in mindset.
“The CIO is defined as master of IT, I say that is the wrong answer – they own vital assets, but are not in charge of computers but information and in charge of flows. Information is what we are all about, CIOs are crucial people and recognise that information is important to the organisation and risk management is a key issue of information.
“Cyber is the security wrong phrase, it is risk management. Put it in the language of business risk and they may get the point. Talk to board in their language, you need to rely on people as they are the front line, and modern businesses are obsessed with management but not with leadership. It is about control measures as humans need leadership, but to get people to apply by the rules and stay loyal to system and keep alert requires leadership not just management. It starts at the top.”