Understanding what really matters to security leaders and "what's keeping you up at night" is so important to us at SI, and not only informs the value we instil in our services, but contributes to the all important discussions and sharing within the community. In this series, we speak to innovative and progressive security leaders for their insights on how they achieve success and overcome challenges on a daily basis.
We had a fantastic discussion with Paul Coleman, exploring how to prepare your team to respond to a breach and best mitigate damage; building strong relationships with the board and elevating the security function's profile; and of course, AI!
It has been a tumultuous 12 months for CISOs - what are the biggest disruptors for security leaders at the moment?
- We're struggling with the macro-economic climate globally and budgets are being squeezed.
- The World Economic Forum reports that cyber security is one of the key drivers for jobs over the next five years. There is a demand for our skill-set and we're seeing projections of growth in the industry, but at the same time there is a skills shortage and we're seeing resourcing budgets cut.
- From a technical perspective, AI is bringing new risks for security leaders which is causing uncertainty and anxiety. AI is moving quickly, so CISOs are trying to keep up and implement sensible policies to manage the risk.
Everyone is talking about AI - what is your approach to managing the risks around new technologies?
- Folks are incredibly trusting of AI, and that trust is very dangerous in security terms. We're relying on people to exercise judgement, however there seems to be an assumption that you can put crown jewels into these technologies and it'll be fine.
- Our role as security leaders is about balancing risk with innovation and value to the business. With AI we currently have a lack of legislation, governance or standardisation. We need to close these gaps and learn where the risks are.
- We've seen this movie before with the cloud; a highly disruptive, rapidly adopted technology, where providing data to third parties means having to manage risks outside of your control - so perhaps we're better prepared to deal with this than we think?
Can you share any strategies or best practices you employ in preparing both your team and the wider organisation for a breach?
- As a CISO, every day could be the day you experience a breach, and how you respond will be scrutinised. To be framed as a victim rather than negligent in the eyes of your stakeholders, your execution needs to be competent.
- A comprehensive response and transparency can limit the bleeding, and make or break your reputation.
- Everyone in the business needs to know their role - you need to have a plan, and have practiced it. We often spend a lot on tools, but forget the final 5% which is practicing it. An equally important part of the process!
Based on your experience, do you have any top tips for CISOs looking to build better board relationships?
- It's important to understand how to communicate in the board's language. This is easy to say, but hard to do. What are their primary goals, concerns and growth initiatives? How can security help to drive that strategy?
- Don't overwhelm with technical detail - you should strike a balance between technical and making sure it is interesting and of value to each board member.
- A key tactic is to demonstrate the value of the cyber programme to the business, how security is contributing to revenue, and how you are promoting and raising awareness of security.
- Scorecards have their place, but it's all about the metrics you choose. People and process orientated metrics are often valuable, for example 'average training time for new starters', or 'how many leaver accounts did we disable on date of departure.'
- It all comes back to risk - the CISO's role is to steer and drive the board towards the balance of risk, which often involves sitting down with leaders and having the difficult conversations.
If you could give one piece of advice to CISOs today, what would it be?
- Prioritise. With limited resource and budgets, and many competing, priorities, it's impossible to do everything. So do less, better.
- Don't spread yourself too thin. Ask yourself, what is really important to the business and managing risk?
We understand the challenges you're facing on a daily basis. If you have any questions, would like to have an initial conversation with the team, or would just value an external sounding board, please get in touch!