Enterprise security skills: the communication factor

How important are good lines of communication as far as the enterprise IT security strategy is concerned? Davey Winder investigates...

Thinking outside the (penalty) box

The core that sits behind this problem is that each team's security risk management and the board view security risk through two totally different lenses. One focuses on mitigating technical risk, the other focuses on the impact upon profit and loss.

"Only when these are aligned will better communication be enabled," insists Peter Armstrong, Director of Cyber Security at Thales UK. "This will require an ability to relate technical risk directly to profit and loss in order to illustrate how Good Cyber is Good Business."

It is also worth reflecting that 'cyber' is still considered a specialist domain rather than mainstream amazing as that may sound to those of us involved directly within this world. However, as Gartner articulates, over the next three to five years there will be an evolution from control- centric security to people-centric security. 

"As this evolution occurs," Armstrong suggests "the whole subject of cyber security and defence will become more mainstream in turn helping the top-to-bottom and bottom-to-top communications on cyber matters within organisations."

Ultimately then, the key is instilling confidence in the board that the person controlling security risk . "[It's all about] applying a business impact view on cyber issues and recognises the balance needed between risk, benefit and affordability," says Armstrong.

How can this be achieved in the real world? Well, with a little help from security specialists RandomStorm, David Lynch, group IT and procurement director at public transport outfit Go-Ahead came up with a novel way of encouraging communication of security risks between IT professionals and business managers.

At the end of last year, he set up a 'Security League Table' that is used to highlight IT vulnerabilities across the organisation. The IT staff use this in their monthly meetings with managers. The rankings provide IT staff with an opportunity to explain to the management team what the risks are to the business and how they are addressing them.

Managing a team of 50 IT specialists, responsible for looking after the business continuity and security of Go-Ahead's retail network and physical assets in 450 stations, Lynch insists the simple league table approach has facilitated meaningful dialogue between IT security specialists and Go-Ahead's senior management team.

"The Security League Table gives the IT teams an opportunity to explain what has happened on the network, what caused it, what it means to the business and what they are going to do about it" Lynch told IT Pro.

"IT staff have to mark why they are bottom of the league and what they are going to do to fix highlighted vulnerabilities. If a particular team's performance is slipping we can trend that on the league table and look into the causes."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021