CISO must act as a translator between technology, security jargon and business risks.

CISO Interview series: Professor Paul Dorey Ph.D. Royal Holloway, University of London

Question 1: Paul I’ve noted that you are both a Professor and Practitioner in the field of Cyber Security. Where is your greatest passion in the field of Cyber Security – what gets you really excited?

Cyber Security can come across as the technical domain of ‘geeks’ and I most enjoy helping business leaders understand the business relevance of security risks and capabilities. It is really powerful when a business executive or Board of Directors grasp the significance of this new risk area and start to drive security decisions and opportunities rather than reacting to scare stories.

Question 2: In the past you have established office of the CISO in various industries. When you are searching for a CISO – what are the key critical attributes that you seek?

Because business engagement is so important the CISO must be a strong communicator able to act as a translator between technology, security jargon and business risks. General Managers usually don’t work out because they cannot call the bluff of the technical people, and the right level of security paranoia is an acquired skill. The successful CISO needs to gain the confidence of business, security and technical communities and so be credible in all three dimensions.

Question 3: As a person who works and consults on the subject of ‘trust’, then I’m intrigued how do you judge the integrity of a person that you have just met?

Trust always takes time to be earned and it is remarkable that most of us are quite so bad at making these decisions. Con-men are only successful because they are trusted so easily. I am probably as fallible as anyone else but good security professionals do believe in ‘trust but verify’ and I will check on facts and with other sources if something really matters professionally. I think all of us rely on robust personal introductions when we can get them.

Question 4: The constant stream of personal data losses from companies seems to show a very cavalier attitude by business to the security of personal data. Would you agree with that?

The incidents that we read about are indeed shocking, especially when the security weaknesses such as exploits on web sites are not new discoveries and are well known in the security profession. Again, I think we are seeing a break-down in communication between the security team and the business that they serve. I cannot see a Boardroom truly accept major risks to customer data if they had it explained to them in the right way.

Question 5: The recent cybersecurity breaches causing power outages in the Ukraine Energy sector were somewhat predictable given the recent Russian conflicts and ongoing tension. More generally, Critical Infrastructure in many countries in my opinion looks to be underdone. Do you agree with my assessment? What can be done to address this gap??

We are at a very interesting state in cybersecurity where the vulnerabilities built into critical infrastructures in the past are only just starting to be properly understood. Some infrastructures will be resilient because they are just too old to be ‘hacked’ but some more recent technologies have weaknesses that need careful security management. What many are working for in the next generation of systems will be to have security designed-in from the start and there is a lot of activity to this end.

Question 6: The global shortage of cyber security staff means that the risks for enterprises and government will get much worse before it gets better. What’s your vision around how this is fixed – does machine learning help to remediate the situation?

We do need to considerably increase the number of good cybersecurity professionals that we have, but you are right to look at other approaches such as automation. At the moment many cybersecurity operations jobs can be very repetitive and time consuming so process orchestration presents a great opportunity. And, of course, if we designed security in from the start then some problems would not need managing at all.

Question 7: When you talk to Boards on Cyber Security and asked: ‘how much do I need to invest in Cyber Security?” How do you answer this question??

As you might expect, there is no single right answer to the amount of investment required for cybersecurity, and in fact the Board never ask that question. They are concerned about the strategic and reputational impact of a cybersecurity incident and they look for assurance that those risks are being managed. In reality the sum of money is always smaller than most other financial decisions the Board would make and I have never seen cost be a barrier.

Question 8: What is your personal opinion around the relative strengths of different cyber security credentials? Which credentials do you give greater credence to?

There are now almost too many credentials in cybersecurity and it is difficult to choose one above the other. In the UK we found that knowledge alone was no substitute for wisdom and experience and so founded the Institute of Information Security Professionals to give post-qualification professional accreditation by a panel of peers. It’s rather like having a medical degree vs. being a qualified Doctor. I have my full membership and I know that I earned it. We hope other countries will follow suit.

Question 9: In the field of Cyber Security, where do you see the greatest weaknesses? Are there any strengths or is this just relative to the gaps??

We seem to be very good at looking backwards and ‘fighting the last war’ as we have good skills in the security of internal company networks and traditional IT systems. But we are moving rapidly to a world of cloud computing, mobile devices and the Internet of Things, and it is here where security skills and knowledge is in short supply.

Question 10: Professor Dorey, you have a private audience with the Prime Minister to brief him on Cyber Security. What are the 5 key pieces of advice that you would provide?

Governments are driven by the timescales of popular opinion and the next election, so all my advice would be to take a 10-15 year view instead and:

  • Educate the population and particularly school children to understand and learn good cybersecurity behaviour and practice.
  • Invest in developing cybersecurity skills through university education and research programmes and through cybersecurity apprentices.
  • Require digital service providers to provide managed cybersecurity services as part of network provision to the home and to the Internet of Things.
  • Provide incentives to have critical infrastructure developed and refreshed to be secure by design.
  • Require companies handling large amounts of personal or sensitive data or operating critical services/infrastructures to have qualified and registered cybersecurity professionals accountable for security assurance.

Tags IT systemsCISOspersonal data securitysecurity jargonCISO interviewCISO Leaderspersonal data loss

Show Comments