It seems to be the new gold rush – everyone wants to get into cyber security. It isn’t surprising given the salary differential between IT operations staff and IT security staff. There are new education options popping up, all with a hefty price tag. I have a friend who printed a business card, registered for a course and got a gig working in IT security for more money than he could get in IT operations.
While I accept that there is a specific skill set for IT security, I am cynical as to how it is approached in industry. I can understand why the considerable investment in cyber security is not reducing the problem!
So let me give you my perspective on how cyber security influences senior management. The first thing to say is that it does have a place on the agenda of boards and senior executives and this is a good thing. Typically it will take more time than questions about how IT is improving productivity or how technology changes are influencing the current business model, and this is a bad thing.
The initial triggers have come from either a security breach, news of breaches in similar organisations or the regulatory changes being introduced (such as mandatory reporting of certain breaches). A consultant might brief the board and executive and tell them that there is a significant risk that is not being effectively managed. The potential for dire consequences will be spelled out followed by a proposal for an expensive consulting engagement to determine current state and propose rectifications.
The board may feel relieved that they have dodged a bullet and fulfilled their duty by getting in expensive “experts”. Fast forward a couple of years and the whole cycle will repeat. There is little evidence that things are getting better despite the resources devoted to cyber security – an overhead that doesn’t by itself deliver business value.
The trouble is that the experts are expert in the wrong things. They might know about firewall policies, denial of service attacks and (maybe) IT management frameworks. All these are needed, but not sufficient. What you really need to know is how your business manages its data.
The truth is that modern businesses manage data everywhere in their operations. There are staff with laptops, tablets and devices throughout the business collecting, processing, sharing and deleting data. Any system that considers the data without understanding the business processes that act on it is doomed to failure (read ISO 27001).
If senior managers want to manage the cyber security risk they need to put more effort into understanding how their business really works. There is precedence for this; most organisations have a significant effort on understanding their financial data. The accountants and book-keepers who delve into financial transactions generally have a good understanding of data around money. Imagine putting the same resources as are applied to finance into all the other data sources in the organisation – asset, customer, people, health and safety, environment, social, suppliers etc.
Fortunately there is a way around this. Many business areas do have a good understanding of their business processes, their skills and their technologies. Rarely, however is a consistent view available to the executive.
The answer to managing your cyber security risk is therefore to manage your business better – on a holistic level rather than a financial or compliance approach. Putting in place consistent approaches to documenting and monitoring business activities is a good start. Many departments will be undertaking business analysis work within their current scope, so we are not talking about a brand new expenditure line.
Do good business analysis, broadly and consistently throughout the organisation. Collect and leverage the information through some (uncomplicated) architecture. Insist that the effort improves business performance. These are the key tenets for success. With this in place your cyber security consultants can add value and advise on solutions that don’t break the bank.