Security: more than just “tech”

Unlike the practitioners with their years of knowledge unpicking problems from the inside of large multinationals, I typically work with much smaller businesses – the ones that have enough risk to need cyber advice, but who don’t have enough budget to bring in full-time support.

When I’m meeting with much larger customers, it’s because of my knowledge of the SME sector and the contribution I can make to understanding third-party risk and the sheer breadth of cyber security challenges that exist within a supply chain.

I’m always on the outside looking in.

My experience means that I see the most black and white cases of why businesses need to have oversight of cyber risk at board level. Because, to a small (or sometimes not so small) business where there are no senior managers with IT knowledge, it’s really easy to think that outsourcing everything (or just letting non-expert employees make IT happen… somehow) is fine so long as whoever’s doing it for you is selling you some software or services that say they’re “security”.

And then they have a few near misses and more people sell them more things that say they’re “security”, because the decision makers think technology is what security is.

Eventually, they have a breach and someone like me has to tell them that “security” isn’t something that can be solved entirely with technology; that they hadn’t heard that before because their suppliers could tell that they were looking for a quick fix to a complex problem… And maybe they weren’t independent advisors, so it wasn’t in their best interest to bite the hand that feeds them.

It’s left to someone like me to help them understand that the gap in their security is the fact that they’ve outsourced risk with their requirements – without knowing what the risk was or what they retained.

On what’s already a hard day that small some businesses don’t survive, the owners and boards in these companies find out that the problem is in strategic planning, management and consistency… when they were expecting a tech problem that they didn’t understand.

It means that when I report my findings, what I say most often is that the business needs more knowledge and ownership of cyber security at board level. I don’t suggest that they need a virtual CISO – another layer of external consultancy is just going to obfuscate their problem further. I ask them to choose someone on the board to own cyber security. Let someone like me coach them from the background so that their special interest provides a sponsor, confident in comparing cyber risk with other risks at the board level.

In smaller businesses, where it’s increasingly easy to outsource the whole IT function and affordable security is hard to find, the most important thing I end up telling them is that the buck stops with the board. Just as with cyber breaches, the problem they’re trying to solve isn’t about technology; it’s about people and decisions. Businesses hit a ceiling trying to reduce risk and mature their security because it’s siloed within the IT function. The most value I can add is in influencing the board to take ownership of cyber risk.

It’s advice that translates to businesses of any size: if the board still thinks cyber security is uniquely an IT problem to be delegated, then the business can’t mature beyond rudimentary risk reduction.

Cyber security is about strategically managing risk. When we stop being distracted by the discombobulating array of technical measures and take it back to the question of “Who should be choosing our risk appetite?” the answer is obvious – most boards don’t want to blindly delegate one of their top three risks to the IT guy… even if they’re diversity-aware enough to know that the “IT guy” is an outdated stereotype.

By Dr Emma Osborn, independent cyber security consultant Emma Osborn, OSCRC