As if being an information-security specialist wasn’t difficult enough with just the actual job of securing your employer’s systems to worry about, there’s another problem many in the field are facing. Let’s think of it as a kind of internal and external form of public relations, where the infosec professional is forced, sometimes, to over-state their systems’ capabilities and underplay the threats they face in order to keep a nervous customer base confident, while at the same time ensuring management understand that investment in digital security is vital and funding for it should not be cut. It’s the catch-22 of the cyber-security age.
This imbalance, between the public and private faces businesses try to maintain when considering their digital security, is at the heart of the next RANT Forum presentation, “Underperformance in Cyber is Silent,” which will be given by Fredrik Hult. The founder and CEO of Cyber Resilience Ltd., Hult has spent years in industry (with stints in cyber security at BP, Credit Suisse and ABN Amro among others), and is an advocate for strong leadership in cyber. He trained in group dynamics and leadership at the Swedish Defence College and, as he tells the Acumin blog, he is “currently active in pushing the envelope on leadership, threat intelligence, red teaming and cyber maturity frameworks.” From this most informed of perspectives, the view is bleak: but Freddie isn’t just going to outline the problems – he will be offering some possible routes out of the present dilemma.
“Most security professionals are trying to do a good job but suffer from being under the cyber poverty line,” Hult says. “I define the cyber poverty line as not having sufficient resources, people, capital, technology or skills in order to remain resilient to organisationally relevant cyber threats. A strong situational awareness capability with detection and threat intelligence is the core of cyber: the weaker capability you have, the safer you feel. Add the cyber poverty line to this – and cyber being perceived as too difficult or too costly – then there is a process of self-justification that things are not that bad and that threats do not apply to the firm.
“I have come across countless firms that believe they are ‘secure’ and suffer no incidents,” he continues. “There is also an incentive to not invest in situational awareness and it has a lot in common with how some people deal with health issues. They avoid getting diagnosis and going to the doctor. Why? Because knowledge of issues means accountability to act. This leads to avoidance behaviours. Especially when you’re resource-constrained it is perceived to be better to ignore and hope for the best.”
In his presentation, Hult intends to outline the root cause of the problem – “the internal stakeholders are often quite bad buyers of such services which means that they keep underperforming organisations rather than asking the right things of the cyber leadership” – but there will also be some crumbs of comfort for workers toiling at the digital coalface. Solutions to a problem that may appear overwhelming and untackleable do exist, Hult will argue – though bringing them to board-level attention will still require courage.
“The take-away I hope for from my RANT is for all of us to ask to have less answers and higher-quality questions on how we approach cyber,” he says. “Managing the different innovation pressures of business using minimal resources is difficult when facing an asymmetrical threat. The current avoidance behaviours that exist need to go, and increased collaboration and opening of kimonos would benefit us all.”
So, bring yourself and your ready-to-open kimono down to our usual City of London location on Wednesday, and be prepared to learn a few new questions to ask. It all kicks off at 5:30pm, with the presentation due to start around 6:30. Food and drink, as always, are free, but prior registration is a must. Please contact Donna Wreathall at Acumin on email@example.com or 0207-987-3838 to reserve your place; the event is nearly full so get in touch as soon as possible.