Is no news good news when it comes to cyber security in your business? What are the hallmarks of excellence in this field? Phil Cracknell, Chief Information Security Officer (CISO) at Homeserve, is speaking alongside senior public and private sector figures at the Cyber Security Summit and Expo in London on Thursday 16 November, shining a spotlight on the current challenges facing cyber security practitioners.
Cracknell is keen to focus on the lack of quantification in cyber security, pointing out that: “What good looks like is becoming increasingly important” and, as such, the ability to define what construes “good” cyber security takes priority.
Cracknell has achieved much in developing co-operation between CISOs with a number of purposes, one of which is the quantification of cyber security standards. Initially focusing on “anonymous surveys of CISOs to fill the void of information regarding breaches”, this work has since evolved into The Metrics Project.
The Metrics Project focuses on defining the mechanisms and language used to measure the effectiveness of information security, with over 50 UK CISOs involved. As the collective work of over 350 CISOs across its current lifespan and purposely avoiding vendors and analysts thus far, The Metrics Project focuses on developing something that will deliver true value to the businesses of those involved: “By the CISO, for the CISO” as Phil Cracknell observes.
Measuring and validating
Cracknell emphasises the role of metrics as “very much the key to our future” in measuring and validating the effectiveness of cyber security. “Businesses are waking up to the fact that they need metrics and risk indicators that our Board members, audit committees and non-executive directors are able to understand.”
Promoting a “report what you should, not what you can” mindset from organisations, Cracknell suggests metrics have the ability to affect business practice in a number of ways. They can demonstrate effectiveness, measure exposure and agility, test an organisation’s culture, pinpoint responsibilities and highlight levels of investment, all of which provide a great insight into a sector and tangible as well as measurable indicators of cyber security suitability.
Having been working in the cyber security arena for over 20 years now, its quirks and trends are not a mystery to Cracknell. Looking forward, he’s able to offer an insight on not only the current state of the industry, but also in terms of where this fast-paced and largely unpredictable sector may be heading.
Soft skills also crucial
Suggesting the current focus by security providers on product and technology may not be the optimum strategy going forward, Cracknell draws attention to the softer skills involved in effective cyber security. “Security leaders are still procuring solutions that don’t address their top issues or risks. Good risk management will avoid this. A solution for a risk doesn’t always have to involve buying hardware, software or a service at all.”
Instead, Cracknell advocates an introspective business model complete with the continual training of staff and improved process management.
Looking to the future, Cracknell has addressed the rising trend in both work and society of BYOD and the risks associated with it. “Given that our corporate perimeters are expanding and even disappearing entirely, coupled with the prevalence of personally-owned devices in working environments, businesses should concentrate on protecting the contents, not the containers, and identify critical data.”
*Phil Cracknell will talk as part of the Cyber Security Summit at 3.30 pm on Thursday 16 November under the subject heading Measuring Success: Metrics for Cyber Security Strategy. Cracknell is taking part alongside senior public and private sector figures, among them Mark Sayers (deputy director of cyber and Government security at the Cabinet Office) and Chris Ulliott (CISO at the Royal Bank of Scotland)