Enterprise security skills: the communication factor

How important are good lines of communication as far as the enterprise IT security strategy is concerned? Davey Winder investigates...

Thinking outside the (penalty) box

The core that sits behind this problem is that each team's security risk management and the board view security risk through two totally different lenses. One focuses on mitigating technical risk, the other focuses on the impact upon profit and loss.

"Only when these are aligned will better communication be enabled," insists Peter Armstrong, Director of Cyber Security at Thales UK. "This will require an ability to relate technical risk directly to profit and loss in order to illustrate how Good Cyber is Good Business."

It is also worth reflecting that 'cyber' is still considered a specialist domain rather than mainstream amazing as that may sound to those of us involved directly within this world. However, as Gartner articulates, over the next three to five years there will be an evolution from control- centric security to people-centric security. 

"As this evolution occurs," Armstrong suggests "the whole subject of cyber security and defence will become more mainstream in turn helping the top-to-bottom and bottom-to-top communications on cyber matters within organisations."

Ultimately then, the key is instilling confidence in the board that the person controlling security risk . "[It's all about] applying a business impact view on cyber issues and recognises the balance needed between risk, benefit and affordability," says Armstrong.

How can this be achieved in the real world? Well, with a little help from security specialists RandomStorm, David Lynch, group IT and procurement director at public transport outfit Go-Ahead came up with a novel way of encouraging communication of security risks between IT professionals and business managers.

At the end of last year, he set up a 'Security League Table' that is used to highlight IT vulnerabilities across the organisation. The IT staff use this in their monthly meetings with managers. The rankings provide IT staff with an opportunity to explain to the management team what the risks are to the business and how they are addressing them.

Managing a team of 50 IT specialists, responsible for looking after the business continuity and security of Go-Ahead's retail network and physical assets in 450 stations, Lynch insists the simple league table approach has facilitated meaningful dialogue between IT security specialists and Go-Ahead's senior management team.

"The Security League Table gives the IT teams an opportunity to explain what has happened on the network, what caused it, what it means to the business and what they are going to do about it" Lynch told IT Pro.

"IT staff have to mark why they are bottom of the league and what they are going to do to fix highlighted vulnerabilities. If a particular team's performance is slipping we can trend that on the league table and look into the causes."

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020