Q&A With Alan Jenkins CISO-In-Residence at Cylon Labs
In this edition of Cyber Smart Consulting CISO Insights we ask Alan Jenkins (CISM, CISMP,CSP) on his view of some common security concerns.
CISO-in-Residence at Cylon Labs.
30+ years experience in all facets of security, particularly cyber and enterprise security risk management, with a focus on ‘value-at-risk’. Broad range of experience across several market sectors including extensive experience in Consulting and Defence.
Guest lecturer at The University of Manchester providing leadership insights to students on Cyber Security MSc course.
What are common cyber security concerns in the boardroom right now?
Risk/liability exposure, business resilience, effectiveness of controls, return on investment linked to cost benefit analysis.
What metrics or KPIs do you use to measure security effectiveness?
KPI’s should link to business concerns above plus progress report(s) on related improvement projects. If board are interested, report on patch status/time to patch/ related trends against requirement to reduce attack surface & latest news items that are relevant to the business (industry sector, geography). If available, latest incident reports, lessons identified, Mean Time to Detect, Respond & Recover from events/ incidents and future work to improve/mitigate risk. Bottom line: has to be relevant & appropriate to audience, whether Board, Audit & Risk Committee, Stakeholders etc.
What topics are being neglected at board level?
This will vary considerably, but I’d suggest that boards would do well to be more involved in Crisis Management training & that they should lead by example.
Is it fair to be accountable if you are restricted by budget restraints?
Yes, it is fair because it goes with the territory. No one has a blank cheque book. It’s prudent to track identified risks, associated owners, related mitigation activities, and any quick wins if more money made available.
What’s the best way to get board level buy in?
Listen to them individually and collectively, get to know them, identify their drivers and socialise what you are doing to support them achieve their objectives as well as those of the business. Talking their language means recognising how security adds value to the business through protection of brand reputation, revenue stream and assets.
Is a risk based approach to cyber security the only way?
No but it is probably the most effective way to determine where to prioritise effort/ investment to achieve risk reduction & improve business resilience.
‘Insider Threat’ is a common discussion point, what’s your view?
When conducting your Threat Assessment, you should take into account all sources of potential threats including from insiders, whether malicious or accidental. But rather than falling into the simplistic trap of ‘people are the weakest link’, I’d advocate being more positive. There’s often room for improvement in staff awareness programmes that recognises that they are part of the solution as one line of defence; if you strike the right tone appropriate to your organisation, you can harness them to great effect and significant reduce people risk for relatively little investment.
Aside from the people angle, you certainly need to identify your organisation’s ‘Crown Jewels’, those assets that are critical to business success. These might range from R&D activities generating future revenue streams to key production machines that have a long lead time to repair/replace, particularly any single points of failure. You shouldn’t try to protect everything equally all the time. Focus your efforts on these assets. Review your cyber security controls against the ‘Cyber Kill Chain’: try to fill any gaps in Detection or Response, avoid point solutions if possible and minimise duplication unless you can afford it. Perhaps most importantly, ‘Know your Enemy and Yourself’, think Method, Motive & deny/reduce Opportunity wherever feasible.
What do you think will be the biggest changes for cyber security teams in 2020?
I think there will be greater emphasis on improving the Security Orchestration Automation & Response (SOAR) capability particularly optimising of response & recovery processes for those who have already invested in SIEM & related technologies. This does not necessarily mean buying a SOAR platform: optimise process first, sweat your assets to utilise their full capabilities & rehearse, often!
Is there a genuine cyber security skills gap? Are you addressing them in your own teams?
Consensus would seem to suggest so but I think the real issue is how do we harness the talent pool wanting to get into cyber security and develop all once in? We don’t have 30 years to amass my & others’ experience so how can we accelerate the skill and knowledge transfer to the next generation? It’s not all about technology, either. We have to write better job descriptions & look for potential, not just experience, then develop that talent remembering the need for diversity, not just of gender.
What’s been your key to success?
I think I’ve muddled through because I’ve had a broad range of experience and recognise that I’m not an expert in a particular vertical so know that I need to build a team of complementary skills and personalities such that the sum is greater than the parts. I’ve also improved my communication skills and continue to do so, particularly around storytelling such that the non-security folks understand that it’s not a dark art, that improvement is achievable and that everyone needs to play their part.
What advice would you give to current CISOs or aspiring ones?
Be prepared for the long game but remain flexible to respond to the unexpected. Build resilience in yourself, your team, your business and your supply chain such that all are better prepared for the ‘Black Swan’ events. Try to have fun and enjoy what you are doing – it matters!
Many thanks to Alan for taking the time to speak with us and sharing his valuable knowledge and insights. And great comments on the cyber skills gap and best practices for talent development. With the UK cyber security unemployment rate predicted to remain at 0% until 2021 these market conditions do call for organisations to adopt a different approach to talent management in this niche.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.