22 Apr 2021

What qualities does a good CISO need as 2021 progresses?

Guest blog: Gavin Ellis, Atkins and Robin Oldham, Cydea as part of our #Cyber2021 week

If the past year has taught us anything it’s that organisations that were IT-secure enough to face the challenges of a global pandemic have probably fared better than those that weren’t.

Covid has brought the need for organisations to be adaptable, pragmatic and resilient into sharp focus. The more astute risk managers would have had ‘a disruptive event that prevents staff access to the office’ on their risk register, at the very least in recognition of bad weather, fire or travel disruption. These organisations should have ensured it had modest spend and resource set aside to allow secure remote computer access so that its critical workforce could transition smoothly and securely to working at home if they couldn’t get into the office.

The IT security equivalent of handwashing

Perhaps those that weren’t so well-prepared had instead focused on the possibility of a more dramatic event happening – a major incident that would make much a much better Hollywood blockbuster – and not something as seemingly mundane as a flu virus. When seeking investment at board-level, it can be tempting to lean on these dramatic doomsday scenarios. But it is a chief information security officer’s (CISOs) responsibility to keep the c-suite grounded. Covid has forced us all to go back and revisit the simple things in life like washing our hands. In the same way, CISOs must remind the board to keep asking the question: “Are we performing the basic cyber hygiene?”

Organisations are more vulnerable when they neglect the basics – and nowhere is this issue more apparent than when it comes to the people who use company IT systems. Cybercriminals have been quick to exploit the learning curve faced by many employees when getting to grips with new IT tools and new ways of working. Communicating basic hygiene to the workforce has, therefore, never been more important.

Learning and looking ahead

It is also the CISO’s responsibility to continually improve their organisation’s security position. The last 12 months have provided plenty of challenges, but also opportunities. Every CISO should now be better prepared for any future crises, because they’ve faced one. Any experience gained from resolving incidents – be that a near-miss or a wide-scale headline-hitting computer hack – provides valuable insight into how CISOs, their organisations, and their technologies, can cope. It is crucial that we learn from the lessons that the experiences of the last 12 months have taught us.

Good CISOs will emerge from this pandemic as having been highly effective in a crisis. They will have a renewed understanding of how the disruptive nature of a major world event, like a flu pandemic, can affect every touchpoint of their organisation. They will have an improved appreciation of their business, a better understanding of their dependencies and which services are truly critical to operations, and they will be able to confidently scale their people, as well as their technology, to adapt to changing circumstances.

A good CISO seeks expert advice

Many organisations are accelerating migrations to the cloud and changing office infrastructure to ensure that they can flex and scale to adapt to these new ways of working. The cloud market offers an enticing range of solutions for businesses whose IT systems have struggled to cope with covid’s impact.

Software giants that are prepared to invest more than US$1 billion every year on their own cybersecurity look like a sensible move, but it’s important to ask: is your traditional IT team best placed to advise on the transition? A good CISO will also be open to seeking out expert advice.

Trust and awareness in the workforce

They must also be able to communicate clearly that security isn’t something being done to the organisation – it’s collaborative, it needs to be embedded, and it’s something won or lost as a team. He or she will advocate for a cyber-aware organisational culture; one that trusts and empowers its people and instils in them the importance of taking data security seriously, backed by employee training and awareness campaigns.

This is especially important when employees are faced with sudden, mandatory, new ways of working. The c-suite must in turn understand that robust cyber security is not a matter of doom and gloom scenarios, and what might go wrong. It’s about supporting their CISO to ensure their systems remain vaccinated, and their organisation stays well-protected.

Gavin Ellis is a cyber security architect for Atkins, a member of the SNC-Lavalin Group. Working with managing consultant Robin Oldham of Cydea the partnership advises clients cyber security and cyber resilience.
 

Dan Patefield

Dan Patefield

Programme Head, Cyber and National Security, techUK

Charlie Wyatt

Programme Assistant, techUK

Jill Broom

Programme Manager, Cyber Security & Central Government, techUK