It's Cyber Security Month - yawn
It is often difficult for Cyber Security professionals to communicate effectively with their internal customers. This is (in my experience) particularly the case for cyber security and information security professionals who have progressed their careers through coding, to IT security to application and Cyber Security. Their technical skills may be second to none, but their ability to tell a story and lift their heads to the strategic level is often less successful.
October seemed to pass many of my colleagues and clients by, in a whirl of rain, wind and floods. But for me, it was a whirl of cyber-security messages and LinkedIn posts, talking about the latest threat analysis and dangers facing our businesses. All very interesting. All very exciting. All very irrelevant to successful day to day delivery.
Think about it. How often do you link your threats back to the true impact on your business? How closely is your threat model and investment in resource linked to the strategic priorities of your organisation? How much effort do you put into making cyber-security relevant to your colleagues and the things they find interesting?
Look at the infographic above from NCSC. Super clear messaging, key areas of risk and focus for Information Security teams. But are you using it to initiate and drive focused discussions with your board? What are the implications of risks around home and mobile working on your workforce strategy? Are the risks understood and embraced by your board - or are the restrictions on using BYOD limited to staff, while the executive team merrily continue to send each other messages on their personal phones and iPads?
How effective are your user education and awareness activities? Or do they induce the yawn of my title? How many posters are stuck to the wall above the printers in your office? If you asked 10 colleagues, how many of them would be able to tell you what is on the posters?
I often come across security colleagues who have fully adopted the 'zero trust' model, but instead of considering how this needs to be implemented to enable the business to function effectively and efficiently, the model is used to insist on compliance with security policies that haven't been assessed from the business perspective - and thus are circumvented and avoided by users.
I was originally going to call this blog 'It's Cyber-Security Week - Yay!' In order to get to that point, your whole organisation needs to embrace security at all levels. Boards and executives need to understand the risks their business face and adopt the behaviours needed to mitigate those risks. Users throughout the organisation need to act and think securely. And security teams need to understand the business - and understand that their role is to facilitate secure operations and delivery.
If this blog was interesting to you and you think you could be more effective in your execution, contact me to see if RTG Commercial Services can help!