Over the last three years the cyber and Tech industry has been under-investing in IT maintenance and in cyber security which has formed a ‘perfect storm’. Layoffs, budgets cuts, IT Solutions, the big push into cloud, all of these have been creating a lot of pressure and leaving companies vulnerable to external threats. We spoke to Nick Jones, Chief Information Security Officer (CISO), on the evolving challenges for CISOs.
Coming out of COVID what are some of the challenges facing CISOs in the UK?
Due to COVID-19, many industries were put on hold and teams were furloughed, particularly IT teams. This resulted in a lack of maintenance for almost three years and the cancellation of ongoing projects. It has taken some time for these industries to recover, and even now there is a significant gap in investment and maintenance. Additionally, there may have already been a backlog of outdated technology and unfinished cloud migrations, resulting in technical debt for CISOs to address.
This challenge is compounded by economic issues such as Brexit, government policies, and rising interest rates and costs of oil and gas, which have constrained budgets. Thus, CISOs are currently facing the task of dealing with both technical debt and financial constraints.
How can CISOs priorities their efforts in the face of these challenges?
Understanding the risks you face is crucial, and it’s important to have a list of what needs to be addressed. Grouping and prioritising activities based on the biggest problems and the potential protection they offer is key. It’s essential to regularly review and update this list, whether it’s a risk register or a to-do list, to ensure that you are on track and making progress. This ongoing evaluation can help you balance budget, capacity, and technical debt issues against the needs of the project.
It’s important to remain flexible and be willing to reprioritise when necessary. For example, a sudden issue might require immediate attention and resources, which may mean putting other tasks on hold. Balancing short-term and long-term priorities and adapting to changing circumstances is a crucial skill that requires practice and honing.
What are some alternative funding sources for cybersecurity investments?
To succeed in this field, one needs to be creative and strategic in their investments. This may mean reallocating funds from less valuable resources to those that are more crucial. For example, we terminated our antivirus investment and invested in endpoint protection at a previous company I worked for, which gave us better protection and coverage.
It’s important to evaluate your investments and ensure that you are receiving value for your money, and to redirect funds to where they will be most effective. We also need to make stronger business cases that demonstrate the value of our investments, rather than just focusing on risk management. Investing in early code fixes during the development life cycle can save a significant amount of money compared to fixing issues later in the production cycle. Therefore, being innovative and strategic in this field can lead to success.
How can CISOs use the right tooling and requirements?
Often, when faced with a problem, our first instinct is to look for a tool to solve it. However, it’s important to approach problem-solving in a more strategic manner. We should take the time to analyse the requirements and understand the business value associated with them before determining the best course of action. This may involve a variety of solutions such as education, policy changes, or using multiple tools in conjunction with one another.
We should consider how all of our tools fit together and prioritise the use of native tools provided by our base platform, such as Microsoft, AWS, or Google Cloud. Only when the native tools fail to provide the necessary functionality should we consider additional tools. Therefore, streamlining our tooling strategy is crucial to effectively solving problems.
How can CISOs effectively communicate the importance of cybersecurity to their boards?
The challenge of communicating technical information to non-technical board members is a common problem. The technical jargon and complexity can be overwhelming and difficult for the board to understand, making it essential to translate it into real-life scenarios that are relatable and easy to comprehend.
It’s crucial to put some emotion into the communication without becoming too emotional and using relatable terms like “criminals” instead of “hackers” can help the board understand the severity of the situation.
It’s also important to have a diverse team with a mix of backgrounds and skills. Diversity and cross-skilling can help bring in fresh ideas and different ways of thinking, which can help solve problems from a different perspective. For instance, I previously had a drama student on the team who brought in a different viewpoint and unique communication skills that challenged everyone in a different way.
We need to focus on understanding the board’s preferences and style of thinking, such as their level of detail or high-level approach, and tailoring the communication to meet their needs. This can be achieved by having separate conversations with board members before the board meeting and presenting a succinct summary that covers all issues to gain their support before making the final pitch.
The challenges faced by CISOs in the UK are numerous and complex, but with the right strategies and approaches, they can be addressed effectively. By prioritising efforts, exploring alternative funding sources, using the right tooling and requirements, and communicating effectively with board members, CISOs can ensure that their companies are adequately protected against cyber threats. With cybersecurity becoming increasingly critical to business success, CISOs must continue to stay up to date with new challenges and emerging threats while also focusing on maintaining the integrity and security of their systems and data. By doing so, they can ensure that their organisations remain secure, resilient, and competitive in today’s ever-changing digital landscape.
InfoSec People is a boutique cyber security and IT recruitment consultancy, built by genuine experts. We were founded with one goal in mind: to inspire people to find the careers that inspire them. With the success of companies fundamentally driven by the quality of their people, acquiring and retaining talent has never been more important. We believe that recruitment, executed effectively, elevates and enables your business to prosper.
We also understand that cyber and information security recruitment can genuinely change people’s lives, that’s why we take the duty of care to those we represent very seriously. All our actions are underpinned by our core values:
- Always do the right thing
- Be the best we can be
- Add value
We work with businesses in the cyber/tech arena, from start-ups and scale-ups to FTSE100 and central Government, many of whom are always looking for great people.
Call us directly on 01242 507100 to discuss opportunities or email info@infosecpeople.co.uk.