A practical approach
ISO 27001 is a widely adopted international standard that sets out systematic and adaptable approach to managing information security. It enables organisations to establish a culture of continuous improvement, staying ahead of emerging threats, and ensuring business resilience in the face of evolving cybersecurity challenges.
A new version of this standard – ISO 27001:2022 – was published on 24 October 2022. I recently led the transition to this version and wanted to share my key takeaways.
CISOs and security leaders are often called upon to develop a security strategy. It’s an important step to understand what your current state is, in what direction you’re going and the roadmap to get there. It’s also an opportunity to demonstrate how cyber security activities and programs align to business objectives.
There is more to the CISO role than just setting the direction, however. It’s also about execution. As a security leader, it’s key to take ownership of the strategy and deliver on its promise. It’s useful, therefore, to be able to track progress against your objectives and demonstrate to the executive leadership team and the Board the impact the security team is making in enabling the business.
Designing a target operating model for an organisation is a complex activity. It is important, therefore, to keep it simple initially. At a very high, level, I suggest CISOs start with three key capabilities:
These can then be decomposed further, tailoring to the needs of your particular organisation. Understand how each domain interacts with and supports the others, capturing key outcomes and dependencies for each function.
Key security capabilities are supported by Leadership and Governance streams, including Security Strategy, Business Alignment, Integration, Oversight, Optimization, Finance, Security Culture, Program Management, Stakeholder Management and Reporting.
Business as usual activities required to keep the lights on are often neglected when capability uplift is prioritized. For this reason, I placed it in the centre of the diagram, emphasising the ongoing importance of providing consistent security service to your organisation.
The NIST Cybersecurity Framework functions at the intersections of domains aim to illustrate the collaborative nature of the security teams. It’s important to go beyond silos , ensuring frequent interaction with the business as well as within the security department.
Cyber security strategy and execution is one of the top priorities for a CISO. It helps articulate the value of security, provide clarity on short and long term goals and outline a cyber security uplift roadmap.
In this blog I recommend a proven step-by-step guide for developing a cyber strategy.
During one of my dives I pondered if there are any parallels we can draw between scuba diving and cyber security. They may seem like vastly different activities, but they share many important similarities. Both are dealing with unknown and often rapidly changing environments, where careful preparation, attention to detail and a focus are critical for success. I list some themes in this blog, feel free leave a comment to add your own.
I am excited to be recognised as one of the Top 10 Cybersecurity Leaders in Australia driving innovation and demonstrating business value. Although relatively new to Australia, I had the opportunity to use my global experience to address key cybersecurity challenges within the Financial Services sector.
A massive thank you to my team – it’s a privilege to lead such high performing and dedicated individuals and be able to build a cutting-edge cyber capability. Congratulations to all the award winners!
How can security support the business? To answer this question in financial terms, I outline two sides of the story. On one hand, CISOs can demonstrate positive impact on the EBITDA through elevating security capabilities. On the other hand, we can list potential downsides of poor security practices from both revenue and cost perspectives.
It’s not about carrots and sticks, it’s about seeing the full picture of opportunity and risk.
Knowing your existing assets, threats and countermeasures is a necessary step in establishing a starting point to begin prioritising cyber risk management activities. Indeed, when driving the improvement of the security posture in an organisation, security leaders often begin with getting a view of the effectiveness of security controls.
A common approach is to perform a security assessment that involves interviewing stakeholders and reviewing policies in line with a security framework (e.g. NIST CSF).
A report is then produced presenting the current state and highlighting the gaps. It can then be used to gain wider leadership support for a remediation programme, justifying the investment for security uplift initiatives. I wrote a number of these reports myself while working as a consultant and also internally in the first few weeks of being a CISO.
These reports have a lot of merits but they also have limitations. They are, by definition, point-in-time: the document is out of date the day after it’s produced, or even sooner. The threat landscape has already shifted, state of assets and controls changed and business context and priorities are no longer the same.
Some exciting news – I have relocated to Australia 🇦🇺
I’m honoured to be awarded the Distinguished Talent (now called Global Talent) visa for my ‘internationally recognised record of exceptional and outstanding achievement’ in cyber security.
Although I will miss the UK, my friends and colleagues there, I look forward to the next adventures in Sydney.
The worst time to write a security incident response plan is during an incident itself. Anticipating adverse events and preparing playbooks for likely scenarios and testing them in advance are important facets of a wider cyber resilience strategy.
Incident response, however, is not only about technology, logs and forensic investigation – managing communication is equally important. It is often a compliance requirement to notify the relevant regulator and customers about a data breach or a cyber incident, so having a plan, as well as an internal and external communication strategy, is key.
Security incidents can quickly escalate into a crisis depending on their scale and impact. There are lessons we can learn from other disciplines when it comes to crisis communication.
One of the best example is offered by the Centers for Disease Control and Prevention (CDC). The resources, tools and training materials they have created and made available online for free have been tested in emergency situations around the world, including the latest Covid-19 pandemic.
CDC’s Crisis and Emergency Risk Communication (CERC) manuals and templates emphasise the six core principles of crisis communication:
1. Be first. Quickly sharing information about an incident can help stop the spread, and prevent or reduce impact. Even if the cause is unknown, share facts that are available.
2. Be right. Accuracy establishes credibility. Information should include what is known, what is not known, and what is being done to fill in the information gaps.
3. Be credible. Honesty, timeliness, and scientific evidence encourage the public to trust your information and guidance. Acknowledge when you do not have enough information to answer a question and then work with the appropriate experts to get an answer.
4. Express empathy. Acknowledging what people are feeling and their challenges shows that you are considering their perspectives when you give recommendations.
5. Promote action. Keep action messages simple, short, and easy to remember.
6. Show respect. Respectful communication is particularly important when people feel vulnerable. Respectful communication promotes cooperation and rapport.
Cyber security professionals can adopt the above principles in crisis situations during a cyber incident, demonstrating commitment and competence and communicating with transparency and empathy both inside and outside of the organisation.
Cyber Security Leadership 