Enterprise security skills: the communication factor

How important are good lines of communication as far as the enterprise IT security strategy is concerned? Davey Winder investigates...

Thinking outside the (penalty) box

The core that sits behind this problem is that each team's security risk management and the board view security risk through two totally different lenses. One focuses on mitigating technical risk, the other focuses on the impact upon profit and loss.

"Only when these are aligned will better communication be enabled," insists Peter Armstrong, Director of Cyber Security at Thales UK. "This will require an ability to relate technical risk directly to profit and loss in order to illustrate how Good Cyber is Good Business."

Advertisement - Article continues below

It is also worth reflecting that 'cyber' is still considered a specialist domain rather than mainstream amazing as that may sound to those of us involved directly within this world. However, as Gartner articulates, over the next three to five years there will be an evolution from control- centric security to people-centric security. 

"As this evolution occurs," Armstrong suggests "the whole subject of cyber security and defence will become more mainstream in turn helping the top-to-bottom and bottom-to-top communications on cyber matters within organisations."

Ultimately then, the key is instilling confidence in the board that the person controlling security risk . "[It's all about] applying a business impact view on cyber issues and recognises the balance needed between risk, benefit and affordability," says Armstrong.

Advertisement
Advertisement - Article continues below

How can this be achieved in the real world? Well, with a little help from security specialists RandomStorm, David Lynch, group IT and procurement director at public transport outfit Go-Ahead came up with a novel way of encouraging communication of security risks between IT professionals and business managers.

Advertisement - Article continues below

At the end of last year, he set up a 'Security League Table' that is used to highlight IT vulnerabilities across the organisation. The IT staff use this in their monthly meetings with managers. The rankings provide IT staff with an opportunity to explain to the management team what the risks are to the business and how they are addressing them.

Managing a team of 50 IT specialists, responsible for looking after the business continuity and security of Go-Ahead's retail network and physical assets in 450 stations, Lynch insists the simple league table approach has facilitated meaningful dialogue between IT security specialists and Go-Ahead's senior management team.

"The Security League Table gives the IT teams an opportunity to explain what has happened on the network, what caused it, what it means to the business and what they are going to do about it" Lynch told IT Pro.

"IT staff have to mark why they are bottom of the league and what they are going to do to fix highlighted vulnerabilities. If a particular team's performance is slipping we can trend that on the league table and look into the causes."

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020