Do CISOs have a higher calling?

I believe the security profession is coming close to an inflection point. The growing dependence on technology in our increasingly digital societies, the systemic and personal harm that data breaches can cause and the real world consequences of failures in an IoT-driven physical environment mean that security failures are no longer just an interesting news item or a regulatory concern. They matter.

WannaCry and it’s impact on the NHS is a strong example of how lives can be harmed and disrupted as an unintended outcome of digital criminality.
Read the rest of this entry »

Stifling, Suffocating, Security?

Security risk management requires balancing a number of stakeholders needs. The risk owners, ultimately a board of directors of an institution, set a risk appetite (whether implicitly or explicitly) , the business managers and leaders then seek to operate within that appetite to drive growth or deliver their mission. There is commonly a tension between the hunger for growth versus the desire for safety which tends to be very easily handled at an executive level but becomes increasingly more contentious the further down an organisation a disagreement occurs.
Read the rest of this entry »

Portfolios of Risk

I’ve been thinking, and worrying, about portfolio risk and especially cross-portfolio risk in federated environments. In federated environments or extended enterprises it is not unheard of for strong programme management to have a good clear view of the risks in their scope of activity and in some more effective enterprises the dependencies that different activities within their scope have on each other but it is rare to have a coherent and complete view of external dependencies between portfolios and as the pace and variety of change increases this could be a problem.

Read the rest of this entry »

Talking Up Security

A keynote I gave to GDSCon 2017 on how security practitioners should engage with senior executives.

Strategic Security Management Challenges

I was recently asked by a consultancy firm to provide a keynote talking about the challenges I had facedĀ as a security leader during my career and how the consultancy could start thinking about how to help people in my position. I appreciated the customer-first orientation they were adopting, refreshing in a world of consultancies that have a habit of leading sales engagements with why it would be both foolish and dangerous not to buy their off-the-shelf industrialised services that were designed for smaller more focused firms with less in-house capability.

Large global enterprises share much in common but the key themes of concern for a security leader in my experience are:

  • Complexity (the old enemy of security),
  • Scale,
  • Availability of the right people and
  • Culture

Read the rest of this entry »

Twitter RSS