Enterprise security skills: the communication factor
How important are good lines of communication as far as the enterprise IT security strategy is concerned? Davey Winder investigates...
Thinking outside the (penalty) box
The core that sits behind this problem is that each team's security risk management and the board view security risk through two totally different lenses. One focuses on mitigating technical risk, the other focuses on the impact upon profit and loss.
"Only when these are aligned will better communication be enabled," insists Peter Armstrong, Director of Cyber Security at Thales UK. "This will require an ability to relate technical risk directly to profit and loss in order to illustrate how Good Cyber is Good Business."
It is also worth reflecting that 'cyber' is still considered a specialist domain rather than mainstream amazing as that may sound to those of us involved directly within this world. However, as Gartner articulates, over the next three to five years there will be an evolution from control- centric security to people-centric security.
"As this evolution occurs," Armstrong suggests "the whole subject of cyber security and defence will become more mainstream in turn helping the top-to-bottom and bottom-to-top communications on cyber matters within organisations."
Ultimately then, the key is instilling confidence in the board that the person controlling security risk . "[It's all about] applying a business impact view on cyber issues and recognises the balance needed between risk, benefit and affordability," says Armstrong.
How can this be achieved in the real world? Well, with a little help from security specialists RandomStorm, David Lynch, group IT and procurement director at public transport outfit Go-Ahead came up with a novel way of encouraging communication of security risks between IT professionals and business managers.
At the end of last year, he set up a 'Security League Table' that is used to highlight IT vulnerabilities across the organisation. The IT staff use this in their monthly meetings with managers. The rankings provide IT staff with an opportunity to explain to the management team what the risks are to the business and how they are addressing them.
Managing a team of 50 IT specialists, responsible for looking after the business continuity and security of Go-Ahead's retail network and physical assets in 450 stations, Lynch insists the simple league table approach has facilitated meaningful dialogue between IT security specialists and Go-Ahead's senior management team.
"The Security League Table gives the IT teams an opportunity to explain what has happened on the network, what caused it, what it means to the business and what they are going to do about it" Lynch told IT Pro.
"IT staff have to mark why they are bottom of the league and what they are going to do to fix highlighted vulnerabilities. If a particular team's performance is slipping we can trend that on the league table and look into the causes."
In This Article
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now