Last Friday at the 2019 Cyber Security and Cloud Global Expo, I saw some insightful talks from the BBC and Just Eat, (I immediately regret using the word takeaway in the title.) discussing access management and cyber security.
Jason Reed from Frost & Sullivan chaired the cyber stream and highlighted some recent research they had undertaken around a common challenge we all face either client side or consultancy. ‘How do you sell cyber to the board?’ and more importantly ‘what is the ROI?’.
Of the sample of senior staff across organisations, 27% believed that security had a negative return of investment. When companies were asked if they would stop using a service that had a data breach, 48% would cut ties.
One way security staff could help promote the importance of security to the C-suite is to explain the value and risk of the organisations’ Crown Jewels. Kevin Fielder from Just Eat explained that this should be key to any organisation strategy. They must be protected! The jewels could be data, or IP. Think back to a board who didn’t believe security had an ROI, what would the loss of income be if their products couldn’t be distributed for six months due to being locked out of distribution data? Could negative PR and regulatory fines also count against ROI?
Another insight from Kevin was around skills gaps in security. His solution has been to recruit internally from other teams who understand the business or technology from other points of view. What if that individual already had influence in the organisation and could champion security across an organisation? In an age of social engineering, helping call centre colleagues or finance teams understand the dangers could be key. Having a diverse team not only helps check and challenge team solutions, BUT also helps the extremely important board buy-in via influence across other business functions.
This question of culture was also echoed in a presentation by Mike Bursell from Red Hat. He highlighted challenging behaviours in an organisation which hinder security projects (or indeed any tech project). Fear of change, control, and the unknown are certainly common place across all organisations and require different tactics to overcome. Again, diverse teams and Agile ways of working can really help here.
My final and favourite takeaway also comes from Kevin, and that was around ‘getting the basics right’. Before you even get to thinking about asking for budget or strategy, ensure your foundations are strong. If you don’t regularly patch software and communicate dangers, then you could be leaving your front door open. That will certainly erode trust! Remember 52% of customers may not leave after a breach – but only if you have done everything in your power to protect their Crown Jewels.