TALKING HEADS
T
Knowledge is power in cyber security
C
Deeph Chana
Engage in continuous
learning around
what new
technologies mean
for cyber security.
yber security can seem
obscure, but in many cases,
it’s about dealing with the
risks that arise from common
human behaviours. Using and re-using
simple passwords or replying to emails
without checking the identity of the
sender seem like common slip-ups but
can often constitute cyber breaches.
These scenarios play out across
organisational boundaries and all levels
of seniority. The chance of a cyber
security breach occurring is heightened
when people believe that dealing with it
is “someone else’s problem”.
Organisations need to cultivate
a widespread and adaptive security
culture, driven by leaders who
continuously learn and update their
knowledge and skills. The 2018 FTSE
350 Cyber Governance Health Check
showed that boards are increasingly
recognising the importance of cyber
security, but this is rarely followed up
by actions to develop and establish
sound security practices. Only 16% of
respondents said their boards had a firm
grasp of the wider impacts associated
with a cyber security incident.
This suggests that executives lack the
depth of knowledge needed to make a
decision on whether to take action — but
why? According to the Research Institute
in Trustworthy Industrial Control Systems,
a multi-university research programme
led by the Institute for Security Science
and Technology at Imperial College
London, the knowledge shortfall
can be attributed to inaccessible
technical language.
This language barrier can play a
significant role in obstructing the timely
escalation, examination and mitigation of
risks. Boards and senior staff simply aren’t
asking the right questions about cyber
security risks within their organisations;
faced with a lack of clear information,
employees will often use their own
judgement on best practice, which can
lead to negative consequences.
Investment is also needed in
organisational resilience. In the FTSE
350 survey, just 46% of firms with a
cyber security strategy could point to a
dedicated budget for it. Cyber security
is still often seen as a purely technical
issue, meaning that provision for dealing
with it is assumed to be taken care of
within IT budgets.
Of the businesses surveyed, 29%
said their strategy was largely focused
on technology improvements and
implementation. However, it’s crucial that
businesses do not isolate their efforts
solely within specialist teams. This only
promotes compartmentalisation.
“Boards and senior
staff simply aren’t
asking the right
questions about
cyber security
risks within their
organisations”
Leaders must keep abreast of
what new technologies mean for
cyber security. Without a basic level of
technical competence, they will struggle
to ask good questions and contribute
effectively when identifying and
prioritising risks, enacting appropriate
measures to minimise exposure,
dealing with crisis events and generally
driving the continuous development
of t he s e cu r i t y cu l tu re w i t h i n
their organisations.
Today, it is critical to create a culture
in which leaders are knowledgeable,
communication and collaboration
around risk across teams is effective,
and investments in solutions are broader
than technology. Decision makers must
be engaged in continuous learning for
this to happen. But picking the right
blend of solutions will be an enduring
challenge — there’s plenty of snake oil
out there.
Professor Deeph Chana is co-director of
Imperial College London’s Institute for
Security Science and Technology and its
Centre for Financial Technology.
February – May 2020 // 53