How to be a trusted advisor

Being a security leader is first and foremost acting as a trusted advisor to the business. This includes understanding its objectives and aligning your efforts to support and enable delivery on the wider strategy.

It is also about articulating cyber risks and opportunities and working with the executive team on managing them. This doesn’t mean, however, that your role is to highlight security weaknesses and leave it to the board to figure it all out. Instead, being someone they can turn to for advice is the best way to influence the direction and make the organisation more resilient in combating cyber threats.

For your advice to be effective, you first need to earn the right to offer it. One of the best books I’ve read on the subject is The Trusted Advisor by David H. Maister. It’s not a new book and it’s written from the perspective of a professional services firm but that doesn’t mean the lessons from it can’t be applied in the security context. It covers the mindset, attributes and principles of a trusted advisor.

Unsurprisingly, the major focus of this work is on developing trust. The author summarises his views on this subject in the trust equation:

Trust = (Credibility + Reliability + Intimacy) / Self-Orientation

It’s a simple yet powerful representation of what contributes to and hinders the trust building process.

It’s hard to trust someone’s recommendations when they don’t put our interests first and instead are preoccupied with being right or jump to solutions without fully understanding the problem.

Equally, as important credibility is, the long list of your professional qualifications and previous experience on its own is not sufficient to be trustworthy. Having courage and integrity, following through on your promises and active listening, among other things are key. In the words of Maister, “it is not enough to be right, you must also be helpful”.

Business alignment framework for security

In my previous blogs on the role of the CISO, CISO’s first 100 days and developing security strategy and architecture, I described some of the points a security leader should consider initially while formulating an approach to supporting an organisation. I wanted to build on this and summarise some of the business parameters in a high-level framework that can be used as a guide to learn about the company in order to tailor a security strategy accordingly.

This framework can also be used as a due diligence cheat sheet while deciding on or prioritising potential opportunities – feel free to adapt it to your needs.

More

The role of a CISO

I’m often asked what the responsibilities of a CISO or Head of Information Security are. Regardless of the title, the remit of a security leadership role varies from organisation to organisation. At its core, however, they have one thing in common – they enable the businesses to operate securely. Protecting the company brand, managing risk and building customer trust through safeguarding the data they entrusted you with are key.

There are various frameworks out there that can help structure a security programme but it is a job of a security leader to understand the business context and prioritise activities accordingly. I put the below diagram together (inspired by Rafeeq Rehman) to give an idea of some of the key initiatives and responsibilities you could consider. Feel free to adapt and tailor to the needs of your organisation.

You might also find my previous blogs on the first 100 days as a CISO and developing an information security strategy useful.

More

How to select cyber insurance

I wrote previously about how cyber insurance can be a useful addition to your risk management program.

Unlike more established insurance products, cyber doesn’t have the same amount of historical data, so approaches to underwriting this risk can vary. Models to quantify it usually rely on a number of high-level factors (the industry your organisation is in, geography, applicable regulation, annual revenue, number of customers and employees, etc.) and questions aimed at evaluating your security capabilities.

You are usually asked to complete a self-assessment questionnaire to help the underwriter quantify the risk and come up with an appropriate policy. Make sure the responses you provide are accurate as discrepancies in the answers can invalidate the policy. It’s also a good idea to involve your Legal team to review the wording. 

While you can’t do much about the wider organisational factors, you could potentially reduce the premium, if you are able to demonstrate the level of security hygiene in your company that correlates with risk reduction.

To achieve this, consider implementing measures aimed at mitigating some of the more costly cyber risks. What can you do to prevent and recover from a ransomware attack, for example? Developing and testing business continuity and disaster recovery plans, enabling multi factor authentication, patching your systems and training your staff all make good sense from the security perspective. They can also save your business money when it comes to buying cyber insurance.

If possible, offer to take the underwriter through your security measures in more detail and play around with excess and deductibles. Additionally, higher cover limits will also mean higher premiums and these are not always necessary. Know what drives your business to get cyber cover in the first place. Perhaps, your organisation can’t afford to hire a full time incident response manager to coordinate the activities in the event of a breach or manage internal and external communication. These are often included in cyber insurance products, so taking advantage of them doesn’t necessarily mean you need to pay for a high limit. While it is tempting to seek insurance against theft of funds and compensation for business interruption, these can drive the premium up significantly. 

It’s worth balancing the cost of the insurance with the opportunity cost of investing this sum in improving cyber security posture. You might not be able to hire additional security staff but you may be able to formulate a crisis communication plan, including various notification templates and better prepare with an incident simulation exercise, if you haven’t already. These are not mutually exclusive, however, and best used in conjunction. 

Remember, risk ownership cannot be transferred: cyber insurance is not a substitute for security controls, so even the best cover should be treated as an emergency recovery measure.

CSO30 Conference – behavioural science in cyber security

I’ve been invited to speak at the CSO30 Conference today on applying behavioural science to cyber security.

I talked about the role behavioural science plays in improving cybersecurity in organisations, the challenges of applying academic theory in practice and how to overcome them.

I shared some tips on how to build the culture of security and measure the success of your security programme.

We also spoke about the differences in approaches and scalability of your security programme depending on the size and context you organisation, including staffing and resourcing constraints.

Overall, I think we covered a lot of ground in just 30 minutes and registration is still open if you’d like to watch a recording.

Royal Holloway University of London adopts my book for their MSc Information Security programme

Photo by lizsmith

One of the UK’s leading research-intensive universities has selected The Psychology of Information Security to be included in their flagship Information Security programme as part of their ongoing collaboration with industry professionals.

Royal Holloway University of London’s MSc in Information Security was the first of its kind in the world. It is certified by GCHQ, the UK Government Communications Headquarters, and taught by academics and industrial partners in one of the largest and most established Information Security Groups in the world. It is a UK Academic Centre of Excellence for cyber security research, and an Engineering and Physical Sciences Research Council (EPSRC) Centre for Doctoral Training in cyber security.

Researching and teaching behaviours, risk perception and decision-making in security is one of the key components of the programme and my book is one of the resources made available to students.

“We adopted The Psychology of Information Security book for our MSc in Information Security and have been using it for two years now. Our students appreciate the insights from the book and it is on the recommended reading list for the Human Aspects of Security and Privacy module. The feedback from students has been very positive as it brings the world of academia and industry closer together.”

Dr Konstantinos Mersinas,
Director of Distance Learning Programme and MSc Information Security Lecturer.

The foundation of the Zero Trust architecture

Zero Trust is a relatively new term for a concept that’s been around for a while. The shift to remote working and wider adoption of cloud services has accelerated the transition away from the traditional well understood and controlled network perimeter.

Security professionals should help organisations balance the productivity of their employees with appropriate security measures to manage cyber security risks arising from the new ways of working.

When people talk about Zero Trust, however, they might refer to new technologies marketed by security vendors. But in my opinion, it is as much (if not more) about the communication and foundational IT controls. Effective implementation of the Zero Trust model depends on close cross departmental collaboration between IT, Security, Risk, HR and Procurement when it comes to access control, joiner-mover-leaver process, managing identities, detecting threats and more.

Device management is the foundation of an effective Zero Trust implementation. Asset inventory in this model is no longer just a compliance requirement but a prerequisite for managing access to corporate applications. Security professionals should work closely with procurement and IT teams to keep this inventory up-to-date. Controlling the lifecycle of the device from procuring and uniquely identifying it through tracking and managing changes, to decommissioning should be closely linked with user identities.

People change roles within the company, new employees join and some leave. Collaborating with HR to establish processes for maintaining the connection between device management and employee identities, roles and associated permissions is key to success.

As an example, check out Google’s implementation of the Zero Trust model in their BeyondCorp initiative.

How to secure a tech startup

scrum_boardIf you work for or (even better) co-founded a tech startup, you are already busy. Hopefully not too busy to completely ignore security, but definitely busy enough to implement one of the industrial security frameworks, like the NIST Cybersecurity Framework (CSF). Although the CSF and other standards are useful, implementing them in a small company might be resource intensive.

I previously wrote about security for startups. In this blog, I would like to share some ideas for activities you might consider (in no particular order) instead of implementing a security standard straight away. The individual elements and priorities will, of course, vary depending on your business type and needs and this list is not exhaustive.

Product security

Information security underpins all products and services to offer customers an innovative and frictionless experience.

  • Improve product security, robustness and stability through secure software development process
  • Automate security tests and prevent secrets in code
  • Upgrade vulnerable dependencies
  • Secure the delivery pipeline

Cloud infrastructure security

To deliver resilient and secure service to build customer trust.

  • Harden cloud infrastructure configuration
  • Improve identity and access management practices
  • Develop logging and monitoring capability
  • Reduce attack surface and costs by decommissioning unused resources in the cloud
  • Secure communications and encrypt sensitive data at rest and in transit

Operations security

To prevent regulatory fines, potential litigation and loss of customer trust due to accidental mishandling, external system compromise or insider threat leading to exposure of customer personal data.

  • Enable device (phone and laptop) encryption and automatic software updates
  • Make a password manager available to your staff (and enforce a password policy)
  • Improve email security (including anti-phishing protections)
  • Implement mobile device management to enforce security policies
  • Invest in malware prevention capability
  • Segregate access and restrict permissions to critical assets
  • Conduct security awareness and training

Cyber resilience

To prepare for, respond to and recover from cyber attacks while delivering a consistent level of service to customers.

  • Identify and focus on protecting most important assets
  • Develop (and test) an incident response plan
  • Collect and analyse logs for fraud and attacks
  • Develop anomaly detection capability
  • Regular backups of critical data
  • Disaster recovery and business continuity planning

Compliance and data protection

To demonstrate to business partners, regulators, suppliers and customers the commitment to security and privacy and act as a brand differentiator. To prevent revenue loss and reputational damage due to fines and unwanted media attention as a result of GDPR non compliance.

  • Ensure lawfulness, fairness, transparency, data minimisation, security, accountability, purpose and storage limitation when processing personal data
  • Optimise subject access request process
  • Maintain data inventory and mapping
  • Conduct privacy impact assessments on new projects
  • Data classification and retention
  • Vendor risk management
  • Improve governance and risk management practices

Image by Lennon Shimokawa.