The news media carry stories relating to cyber security on a daily basis and it is no exaggeration to state that the topic is now part of the mainstream debate. But what is cyber security? It seems to mean different things to different people. Most concerning, to those of us who spend our working lives on this topic, is an apparent assumption in many organisations that the issue is not one that requires urgent attention. My goal is to examine why that might be the case and to offer some suggestions as to how to address the lack of urgency whilst recognising that there are more urgent and more important priorities into which the cyber security and information assurance agenda must fit.
I am hoping that you are at least mildly curious as to why I have entitled this piece ‘Cyber security as a tool for business transformation’? The primary reason is to encourage a change in our mindset as cyber security and information assurance professionals. Over the past 15 years, I have attended numerous meetings, seminars, and conferences and participated in debates both formal and informal on the topic of how to get the message across to senior executives that this field is one that requires their attention. The specifics vary and whether the conversation be about risk-based controls, business continuity, information assurance or cyber security the general theme has remained constant... “they don’t get it”. And it matters not whether you are seeking the opinion of the professional or the executive, the view is the same. This indicates to me that there is a fundamental failure of both understanding and communication on both sides.
I make no claim to a rigorous scientific basis for my hypothesis, but after 15 years of active observation I am confident that there is at least a strong anecdotal basis for drawing the conclusion that one of the key factors in creating this problematic communication is our educational tradition of specialisation. We have built professions of various hues in this general field where the emphasis is clearly and consistently on the ‘pure’ rather than the ‘applied’. It is my belief that unless we cross this divide we will continue to struggle to gain acceptance of the need for robust cyber security and information assurance – primarily because we are approaching the issue from the perspective of the pure scientist rather than the applied technologist.
It is my belief that unless we cross this divide we will continue to struggle to gain acceptance of the need for robust cyber security and information assurance – primarily because we are approaching the issue from the perspective of the pure scientist rather than the applied technologist.
As a profession, and as subject matter experts, it is incumbent upon us to address the very real needs of our customers (internal or external) in terms of normal business operations. We have no God given right to be heard on our specialist subject. We can express the benefits of adopting good security practice in terms that our customers can relate to and it is vital that we do. If we are not making a positive contribution to the performance of the organisation, it is entirely valid to question the relevance of what we aim to achieve. We must not lose sight of our customers’ business objectives and must ensure that the security regime we propose is appropriate, effective, sustainable and most importantly makes a tangible and measurable contribution to the ongoing improvement to business performance.
NOTE: This article was forst published by AKJ Associates for the PCI London conference at the Victoria Park Plaza Hotel on 24th January 2013