Only a cultural shift across the Boardroom can move the needle

The survey released by BT Security in January 2021 (“CISOs under the spotlight”) is interesting, if only by the size of the population surveyed (over 7,000 people) and its triple focus on consumers, employees and business leaders.

But its findings are problematic, in particular in what they reveal of the attitude of senior executives towards cyber security, and the persistence of some problems at the top.

It starts well, with some stats broadly consistent with other surveys and anecdotal field evidence: 58% saying that improving data and network security has become more important to their organisation in the last year…

The protection of the business from cyber threats is something you need to grow, not something you can buy

The role of the Board in relation to cyber security is a topic we have visited several times since 2015, first in the wake of the TalkTalk data breach in the UK, then in 2019 following the WannaCry and NotPeyta outbreaks and data breaches at BA, Marriott and Equifax amongst others. This is also a topic we have been researching with techUK, and that collaboration resulted in the start of their Cyber People series and the production of the “CISO at the C-Suite” report at the end of 2020.

Overall, although the topic of cyber security is now definitely on…

Security culture and governance eat tech for breakfast

Looking back at what happened at ground level throughout the COVID crisis, it is clear that the focus has been entirely on operational matters: From moving into remote working at scale for the services industry, to keeping supply chains working for the manufacturing sector, or many retail firms having to re-invent themselves as digital businesses, literally within weeks. It has all been about keeping the lights on, understandably.

Tech and cyber security have been — and still are — at the heart of all this, and, as we wrote back in April 2020, it is hard not to see those…

The Cyber Security Transformation Podcast

A weekly independent podcast with a different take on what’s happening in the cyber security industry

Throughout the second part of 2020, together with Steve Lamb and guests, we have shared our views in a weekly podcast on both the interesting news stories of the week and our own experiences, drawing on decades of real-life experience.

Aimed at CIOs and other C-level executives with a passion for cyber security and delivered most Friday morning, each 10 to 15 minute episode is framed around an open discussion focused on a particular topic, from security budgets to the evolving role of the…

Transformational opportunity for firms, or tactical trap for the CISO?

As the COVID crisis continues to develop, one thing is becoming clearer and clearer: Remote working is here to stay, in some form or another; probably as hybrid work. Technically, it has scaled, and it has worked. Throughout the pandemic, it has enabled many industries worldwide to continue operating, and many people to keep their jobs.

From an acceptance perspective, it’s another story. I am yet to meet a single person who would endorse it fully. At one extreme, it disturbs family life, increases isolation, and can lead to depression or burnout. …

Protecting the Public or Protecting Big Business?… The recent downgrading of fines by the UK ICO for British Airways and Marriott raises some questions.

Let’s face it: During the second half of October 2020, we probably came across the first major milestone since GDPR came into force on 25th May 2018: The downgrading by the UK ICO of the fines it had proposed in the summer of 2019 in relation to the 2018 data breaches at British Airways and Marriott.

The UK regulator probably intended to showcase its business acumen and its understanding of the situation those industries are going through with the COVID crisis, but in practice, it is likely to be seen over time as a sign of weakness, and it definitely…

The key challenges of the transformational CISO are not technological, but managerial.

There is still a vast amount of debate across the cyber security industry about the role of the CISO, their reporting line, their tenure, the levels of stress they’re under, and the burnout epidemy they’re suffering.

But looking into the actual profile of real people in those jobs, talking to them and listening to their problems, you’d quickly realise that there is a fair amount of creative writing involved in a lot that’s being posted.

It is easy to write about “the CISO” thinking this is a fully established C-level role and one of the pillars of corporate governance. In…

Why large organizations still struggle with decade-old security problems — and how to fix them

I have been involved with information security matters for over 20 years and started writing regularly on the topic in 2015. Talking to CISOs, CIOs, CEOs and their teams as part of my day-to-day field work as consultant, I was horrified by what I was seeing in too many large corporates in terms of security maturity levels and the actual problems some were still struggling with — something that goes way beyond anecdotal evidence and is at the heart of survey after survey every year. After all, information security good practices have been well established for over 20 years and…