Enterprise security skills: the communication factor

How important are good lines of communication as far as the enterprise IT security strategy is concerned? Davey Winder investigates...

Thinking outside the (penalty) box

The core that sits behind this problem is that each team's security risk management and the board view security risk through two totally different lenses. One focuses on mitigating technical risk, the other focuses on the impact upon profit and loss.

"Only when these are aligned will better communication be enabled," insists Peter Armstrong, Director of Cyber Security at Thales UK. "This will require an ability to relate technical risk directly to profit and loss in order to illustrate how Good Cyber is Good Business."

It is also worth reflecting that 'cyber' is still considered a specialist domain rather than mainstream amazing as that may sound to those of us involved directly within this world. However, as Gartner articulates, over the next three to five years there will be an evolution from control- centric security to people-centric security. 

"As this evolution occurs," Armstrong suggests "the whole subject of cyber security and defence will become more mainstream in turn helping the top-to-bottom and bottom-to-top communications on cyber matters within organisations."

Ultimately then, the key is instilling confidence in the board that the person controlling security risk . "[It's all about] applying a business impact view on cyber issues and recognises the balance needed between risk, benefit and affordability," says Armstrong.

How can this be achieved in the real world? Well, with a little help from security specialists RandomStorm, David Lynch, group IT and procurement director at public transport outfit Go-Ahead came up with a novel way of encouraging communication of security risks between IT professionals and business managers.

At the end of last year, he set up a 'Security League Table' that is used to highlight IT vulnerabilities across the organisation. The IT staff use this in their monthly meetings with managers. The rankings provide IT staff with an opportunity to explain to the management team what the risks are to the business and how they are addressing them.

Managing a team of 50 IT specialists, responsible for looking after the business continuity and security of Go-Ahead's retail network and physical assets in 450 stations, Lynch insists the simple league table approach has facilitated meaningful dialogue between IT security specialists and Go-Ahead's senior management team.

"The Security League Table gives the IT teams an opportunity to explain what has happened on the network, what caused it, what it means to the business and what they are going to do about it" Lynch told IT Pro.

"IT staff have to mark why they are bottom of the league and what they are going to do to fix highlighted vulnerabilities. If a particular team's performance is slipping we can trend that on the league table and look into the causes."

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Recommended

Splunk debuts a new suite of cloud security solutions
Security

Splunk debuts a new suite of cloud security solutions

22 Jun 2021
Nvidia Jetson chips make IoT devices vulnerable to attack
vulnerability

Nvidia Jetson chips make IoT devices vulnerable to attack

22 Jun 2021
Cryptocurrency crimes have increased 12-fold since 2016
cryptocurrencies

Cryptocurrency crimes have increased 12-fold since 2016

22 Jun 2021
University Medical Center Mainz taps IBM to secure health care data
cloud security

University Medical Center Mainz taps IBM to secure health care data

21 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021
EU plans to launch bloc-wide cyber task force
cyber attacks

EU plans to launch bloc-wide cyber task force

22 Jun 2021