E R T N
P
X
E INIO
OP
vulnerability. This will help them to be in
a better position to repel the next attack
when it takes place – be assured that
this is ‘when’, not ‘if’.
However, simply training staff isn’t
going to change things. Organisations
must work harder to create a more
diverse workforce. And there will be
opportunities. For example, when an
organisation invests in technical tools to
provide more intelligence around threats,
or higher levels of protection, additional
staffing resources may be needed to
configure systems, manage and analyse
and respond to findings.
Equally, when an organisation
implements training and awareness
initiatives to arm its staff, new staff may
also be required to design and manage
awareness work ongoing. A diverse
intake of staff at this point will allow the
new tools, or initiatives, to be designed,
implemented, measured and managed in
new and unexpected ways.
To widen the hiring pool, organisations
can also usefully consider candidates
with skills that are less obviously relevant
to information security, such as marketing,
sales, communications and logistics. They
can also create a talent pipeline for the
future through apprenticeship schemes or
internship programmes.
Culture and the sacrificial CISO
As organisations work to improve their
ability to manage information risk, the
importance of having a Chief Information
Security Officer (CISO) is also being
recognised very broadly. However, the
person in this role needs to be a part of
regular discussions at a boardroom level
to engage effectively with senior staff
and hence encourage them to sponsor
organisational change.
It is also important to recognise the
impact of different security cultures. The
role of the CISO, for example, varies
hugely depending on the organisation
and industry, with some CISOs having
42
We are in the
midst of many
unofficial guerrilla
cyberconflicts which
only seem to be
escalating and this is
impacting the threat
and compliance
landscape.
board membership, budget control and
large teams, and others reporting many
levels below the CEO, and having to
apply for resources from other teams.
This obviously influences the range
of cybersecurity roles available in the
organisation but potentially also affects
the ability of the CISO to achieve their
assigned objectives.
Worryingly, a CISO role is sometimes
designed as a scapegoat role, held
in readiness against a likely future
breach as an alternative to actually
improving risk management. Will
prejudiced hiring approaches lead
to more minorities and women being
picked to fill this ‘sacrificial CISO’ role?
On this note, organisations will always
look to the board to set an example;
what proportion of top management are
female or ethnically diverse?
The current status of the diversity
debate and the underlying trends
What we see currently in the diversity
debate are questions around whether
people are being treated equally. The
fact that such questions are being asked
implies that we still have a problem;
but the ability to ask these questions
also enables us to recognise, call out
and redress unfair treatment. Women
are still tragically under-represented
in both information technology and
information security, so there is a critical
need to encourage a more inclusive
approach towards hiring and towards
treatment of women once they are in
post. Each individual is unique and has
competencies which should be valued
and managed. When we can transcend
biases, it will ultimately benefit and
strengthen our industry.
Conclusion
With staggering financial losses due to
cyberattacks costing organisations in the
Issue 14
|
www.intelligentciso.com