With Cyber Security encroaching upon everyday life more and more by the day, through a combination of an increasingly inter-woven web of connected devices and a growing presence in mainstream news, the men and women responsible for protecting businesses and organisations find themselves increasingly in the spotlight. This growing attention is far from all bad however, and with increased scrutiny comes an opportunity to be recognised for excelling in the field. As a regular figure for commentary on both BBC and Sky News, Phil Cracknell is one of the highest profile and most recognisable names in Cyber Security, and we were delighted to get the chance to talk with Phil about his thoughts on the role of C-Levels Executives in tackling Cybercrime, and the challenges facing Cyber Security practitioners.
So how does one become a Cyber Security celebrity? As a UNIX engineer back in 1989, Phil recalled that his level of experience working with the UNIX operating system and networking was rare in that time, suggesting there was an element of “right place right time” in his early success. Having taught for HP and Sun Systems on their firewall platforms, networks and security, Phil expressed the value of the technical knowledge that such jobs allowed him to accumulate, “If you know something at a deep technical level, you know how to circumvent things and therefore how to defend them”. It is this intimate knowledge which has proved pivotal over the course of Phil’s Security career, a career which has provided Phil with the expertise to cast a critical eye over the state of modern Cyber Security.
Since the early nineties when Phil’s career in Security began to take off, one area of noticeable change has been in the organisational structure responsible for the security of information and data. With the stratification of C-level roles into smaller, more target focused roles such as Chief Data Officers, Chief Digital Officers and Chief Technical Officers, the role of Chief Information Officer has evolved, most significantly in response to the emergence of the Chief Information Security Officer role. The roles of CIO and CISO, as their similar names suggest, are heavily intertwined, and successful protection and usage of information requires their cooperation. Phil’s work has been impacted by this dynamic, with two of his recent projects involving objectives relating to the roles of security and IT. Unfortunately, Phil reports, cooperation between the two may not always be straight-forward, with business politics and budgetary concerns constituting barriers to a harmonious working relationship. Recalling one of those recent projects, Phil added that “the security function was in conflict, and the IT lead considered Security as a ‘power chip’ in a political game”.
How else then, should an organisation attempt to manage this fractious situation? As with bickering siblings, one approach is perhaps separation of the uncooperative parties to circumvent their differences in opinion, but Phil warns this may not be the ideal solution hoped for, stating that “taking Security out from under IT could cause as many problems as leaving it where it was”. While perhaps preventing the conflict of interests situation previously present, such a move undoubtedly reaps unintended side-effects. Phil explains that “The traction lost by Security being further away from the technical operations can mean some control is lost, oversight compromised and business as usual patching and vulnerability management becoming harder to operate”. Instead of this approach, solutions that focus on achieving strong interoperability, and promotion of teamwork seem preferable, allowing both IT and Security departments to achieve their respective targets. Such an approach though, requires strong leadership and direction from the C-Level Executives responsible for said departments, and as such, experienced and effective CIO’s and CISO’s are invaluable assets to any organisation.
Phil was also keen to bring focus onto the lack of quantification in Cyber Security, pointing out that “What good looks like is becoming increasingly important”, and as such, the ability to define what construes “good” Cyber Security takes priority. Phil has long made strides in developing co-operation between CISO’s with a number of purposes, one of which is the quantification of Cyber Security standards. Initially focusing on “anonymous surveys of CISO’s to fill the void of information regarding breaches”, this work has since evolved into The Metrics Project. The Metrics Project focuses on defining the mechanisms and language used to measure the effectiveness of Information Security, with over 50 UK CISO’s involved. As the collective work of over 350 CISO’s over its current lifespan and purposely avoiding vendors and analysts thus far, the Metrics Project focuses on developing something that will deliver true value to the businesses of those involved, in Phil’s words – “By the CISO, for the CISO”.
Phil emphasised the role of metrics as “very much the key to our future” in measuring and validating the effectiveness of Cyber Security. “Businesses are waking up to the fact that they need metrics and risk indicators that our board, audit committees and non-executive directors are able to understand”. Promoting a “report what you should, not what you can” mind-set from organisations, Phil suggests metrics have the ability to affect business practice in a number of ways. Metrics can demonstrate effectiveness, measure exposure and agility, test organisation culture, pinpoint responsibilities and highlight levels of investment”, all of which provide a great insight into a sector and tangible, measurable indicators of Cyber Security suitability.
Having been in Cyber Security for over 20 years, the quirks and trends of the industry are no longer a mystery to Phil, and looking forward, Phil is able to offer an insight not only on the current state of the industry but also into where this fast-paced and largely unpredictable industry may be headed. Suggesting the current focus by security providers on product and technology may not be the optimum strategy going forward, Phil draws attention to the softer skills involved in effective Cyber Security. “Security leads are still procuring solutions that don’t address their top issues or risks. Good risk management will avoid this, and of course a solution for a risk doesn’t always have to involve buying hardware, software or a service at all”. Instead, Phil advocates an introspective business model, with training of staff and improved process management. Casting a glance to the future, Phil addressed the rising trend in both work and society of ‘Bring your own Device’, and the risks associated with such a trend – “With our corporate perimeters expanding and even disappearing entirely, and the prevalence of personally owned devices in our work environments, businesses should concentrate on protecting the contents, not the containers, and identify critical data”.
Phil Cracknell will talk as part of the Cyber Security Summit at 3:30pm, with the title “Measuring Success: Metrics for Cyber Security Strategy“.