Speaking on a session titled “Is top level security possible on a shoestring budget?” as part of Digital Transformation Expo, security specialists were asked by moderator Jeremy White what their top tips were on what not to do, and how to run security more efficiently.
Asked on what their recommendations were on the one thing businesses should not be doing to operate a cybersecurity system on a shoestring, Simon Honey, cybersecurity and data protection companies advisor at the Institute of Directors, said it is “having people who don’t know what they are doing running the process.” He said he has found this situation over and over again, as IT people think security is about stopping viruses and making better firewalls, “but it is more than that, you’ve got to think about culture, you’ve got to think about security as in the whole culture of the business.”
John Rouffas, CISO of Bink, said it is about being able to “impart what the critical knowledge is with people within the organization, and to supplement that with your knowledge and supplement that together to make it work.” He said the last thing you want is for you or the company to make assumptions for you, as that can cause problems. “Security really is an organism; it grows and needs to be helping the whole time, and it is very much a journey.”
Looking at tips to run security more efficiently, Rouffas said the most important thing is to look at the people you have and leverage what they have and what you’re doing, as they are the people who use these tools on a day-to-day basis, and as there is a chance you’re going to bring in something new, “bring them in together and be inclusive as to where you’re going.”
Honey recommended having a three year road map, and know what you have to do now and in the first few months, first six months, first year, two years and three years “and in every year, review it.”
He said with that in place, even though you may change plans as new ideas and technologies emerge, having a strategy “gives you an idea of where you want to go and how you’re going to do it, and ultimately, how much you should have as a budget each year.”
Earlier in the discussion, Honey said too many businesses believe IT and security are the same, and it is best to address that and look for solutions to support security “which can mostly cost around £10-20,000,” and will not cost more than £50,000.
Discussing the idea of moving the CISO out of IT, Honey said most companies believe that cybersecurity belongs in IT, but it does not, and it should be outside of IT, and in one instance the reporting line had been moved for the CISO to report directly to the chief operating officer. “The CISO should be on par with the CIO, and quite often the CIO is not part of the board, and not there to give advice when things go wrong, while a CISO is called to the board every time they meet, to give an update on security,” he said. This is because a CISO can react quickly to when something happens, and when the CEO asks for a report the CISO can provide this too. “This also means that if a crisis does occur, like a hack, the board are aware of it pretty quickly.”
Rouffas said there is a misunderstanding as to where the CISO needs to fit, and he has seen some cases where the CISO reports to the CTO, and that creates a conflict of interest as “you’re trying to tell the IT people ‘this is how you’re supposed to deploy systems, here are the controls that you need to have and this is what you need to do to make them secure’.” However the CTO will say “I’m not going to let that happen as it will not work anymore.” This causes a situation where you work on something bigger, and get into disagreements.
“Ultimately it [security] needs to be part of the board, and be empowered to be able to react as quickly and responsibly as they possibly can,” Rouffas said.