The oil industry, historically lucrative, has seen something of a squeeze in recent years, leading to a tightening of the belt for the majority of the companies that comprise the oil industry. Even in these parsimonious times, the value of data, a commodity of which companies have a tremendous amount of is only increasing, and as such, securing that data becomes ever more intrinsic to business success. Chris Rivinus, Head of Business Systems of Tullow Oil sat down with Cyber Insider a few days after his appearance at the Cyber Security Summit and Expo earlier this month to talk about how cyber security impacted the oil industry, and the role of culture in adding value in a cyber-security sense.
In times where budgets are squeezed and resources stretched, it is especially critical to understand the risks that are faced by organisations in order to apportion these limited resources to the right areas. Chris referenced the role of IT in blurring the lines between home life and work life, through the enablement of work interests to reach past 5pm, with “avenues for collaboration and task execution in the home”. Because people are now able, and in many cases willing, to take their work into their home when required, Chris suggests that “they may feel reciprocity is in order” – using work tools for personal use. This, Chris says, is where the nature of risk has changed. “This is causing a real breakdown both in terms of defending the perimeter in traditional cyber security terms, but it also sows the seeds of culturally galvanised resistance to top-down governance generally”. In order to overcome this breakdown, Chris suggests that changes in the role of the CISO will be required, explaining that “Merging traditional application of cyber security practices and tools with other uses that serve the digital transformation agenda will take a new breed of CISO, one with exceptional business acumen”.
As Head of Business Systems, Chris’ knowledge of organisation security is no surprise, but Chris’ expertise in cultural anthropology gives him a unique angle from which to consider cyber security. Touching upon this knowledge, Chris referred to the value of culture in organisational communication. Phishing attacks, and its various offshoots thrive upon communicational triggers and vulnerabilities, and as such, Chris is well placed to help deal with this threat. “The real trick is to understand how to communicate and apply influence across a variety of different cultures in your organisation to both compel them to be vigilant and to help them understand what to be vigilant for”. Without the right tailoring to the cyber security message to staff, Chris warns that “all too often, the right cyber security messaging is dismissed or resisted because of how it’s presented, the language used or the tone used”.
The culture of the business has wider reaching effects in a cyber-security sense than just phishing attacks however, and understanding the value of business culture is a tremendous asset in ensuring data is successfully protected. Asked how cultural understanding can help in deterring cyber-crime, Chris emphasised that solutions associated with overcoming or avoiding the human factor of cyber security are often not the failsafe solution they claim to be – instead of bypassing the human element, embracing and understanding it is preferable. “I’ve talked to a lot of CISO’s who say that the more controls you apply and the more top-down policy implementation you throw at people, generally the more likely you are to see pockets of those same people move from unenthusiastic participation toward open rebellion”. Asked how to combat this, Chris advocated fostering a more united front against the real threat – namely hackers; he suggests the key is “to have your cyber security team stop presenting themselves in a way that makes them look and feel like the bad guys”.
With the right culture in place as Chris has suggested, the cyber security message is able to be propagated through the business, and data security is increased, especially prominent given the ever-increasing value of data in the oil industry. However, valuable data is of course far from exclusive to the oil field, and Chris offered some words of wisdom for data protection professionals across the board. “The best way to squeeze value out of data sets, which companies have is the same way to best protect it – classify it, clean it, organise it”. Thus, those that treat their data with this level of importance have a significant opportunity to really stand out and add value. Chris continued, “that same classification of data allows cyber security teams to focus on protecting the data that really matters”. This is the data where the real organisational value lies, value that will only continue to rise in the future. If oil is, as the saying goes, the new gold, then data may very well be the new oil.