Is no news good news when it comes to cyber security in your business? What are the hallmarks of excellence in this field?
Phil Cracknell, Chief Information Security Officer (CISO) at Homeserve, is speaking alongside senior public and private sector figures at the 16 November Cyber Security Summit in London, shining a spotlight on the challenges facing Cyber Security practitioners.
He is keen to bring focus onto the lack of quantification in Cyber Security, pointing out that “What good looks like is becoming increasingly important”, and as such, the ability to define what construes “good” Cyber Security takes priority.
Phil has long made strides in developing co-operation between CISOs with a number of purposes, one of which is the quantification of Cyber Security standards. Initially focusing on “anonymous surveys of CISO’s to fill the void of information regarding breaches”, this work has since evolved into The Metrics Project.
The Metrics Project focuses on defining the mechanisms and language used to measure the effectiveness of Information Security, with over 50 UK CISO’s involved. As the collective work of over 350 CISO’s over its current lifespan and purposely avoiding vendors and analysts thus far, the Metrics Project focuses on developing something that will deliver true value to the businesses of those involved, in Phil’s words – “By the CISO, for the CISO.”
Measuring and validating
Phil emphasised the role of metrics as “very much the key to our future” in measuring and validating the effectiveness of Cyber Security. “Businesses are waking up to the fact that they need metrics and risk indicators that our board, audit committees and non-executive directors are able to understand.”
Promoting a “report what you should, not what you can” mind-set from organisations, Phil suggests metrics have the ability to affect business practice in a number of ways. Metrics can demonstrate effectiveness, measure exposure and agility, test organisation culture, pinpoint responsibilities and highlight levels of investment”, all of which provide a great insight into a sector and tangible, measurable indicators of Cyber Security suitability.
Having been in Cyber Security for over 20 years, the quirks and trends of the industry are no longer a mystery to Phil, and looking forward, Phil is able to offer an insight not only on the current state of the industry but also into where this fast-paced and largely unpredictable industry may be headed.
Soft skills also crucial
Suggesting the current focus by security providers on product and technology may not be the optimum strategy going forward, Phil draws attention to the softer skills involved in effective Cyber Security. “Security leads are still procuring solutions that don’t address their top issues or risks.
Good risk management will avoid this, and of course a solution for a risk doesn’t always have to involve buying hardware, software or a service at all”. Instead, Phil advocates an introspective business model, with training of staff and improved process management.
Casting a glance to the future, Phil addressed the rising trend in both work and society of ‘Bring your own Device’, and the risks associated with such a trend – “With our corporate perimeters expanding and even disappearing entirely, and the prevalence of personally owned devices in our work environments, businesses should concentrate on protecting the contents, not the containers, and identify critical data.”
Phil Cracknell will talk as part of the Cyber Security Summit at 3:30pm on 16 November, with his address Measuring Success: Metrics for Cyber Security Strategy. He is speaking alongside senior public and private sector figures, including Mark Sayers, Deputy Director of Cyber and Government Security at the Cabinet Office, and Chris Ulliott, Chief Information Security Officer at the Royal Bank of Scotland.
Author: David Roberts, Event Director at GovNet, organiser of the 16th November Cyber Security Summit and Expo, and co-located GDPR Conference at the London Business Design Centre.