Meet the expert: Susanne Bitter to speak at #RISK London

Taking place on October 18 and 19 at EcXel London, #RISK London addresses the issues impacting organisational risk today, from Governance, Risk and Compliance (GRC), to Environmental, Social and Governance (ESG), organisational culture, and much more.

The event builds on the success of #RISK 2022, allowing organisations to examine the cumulative nature of risk, unite GRC specialities and share views with subject-matter experts.

Susanne Bitter is Head of Regional Strategic Alliances at Cyber Security Forum Initiative. A certified and passionate Information Security and Data Privacy professional, Susanne leverages over 15 years industry experience.

Susanne will be at #RISK London to debate what “reasonable” means when it comes to the security measures that organisations need in place to ensure compliance and to achieve robust levels of protection.

Below, Susanne talks more about her professional journey and the themes of her #RISK London session.

Could you briefly outline your career so far?

From early age, I have been attracted to world of 1s and 0s. So, after my long-term career in top management of Samsung I made decision to progress further where my passion and love lay: the digital world and all things related to information security, cyber security and privacy. 

Since then I have had the privilege of working as a contractor within the most interesting and fascinating private and public companies on various projects and roles. I have also served at non-profit organisations, such as CSFI, BCS, The Chartered Institute for IT and ISACA London chapter.

From time to time I also teach various courses related to information security, risk management, business continuity and disaster recovery, which allows me to raise the knowledge of individuals in given areas and contribute that way to safer digital world. I am also a candidate for a PhD in Information Security at Royal Holloway University.

What are the primary factors to consider as companies bid to establish “reasonable” levels of security?

It all starts with the company on its own and recognising what the organisation values and requires to protect. This is not a small task and must be considered on a continual basis, as the environment is endlessly changing and the applied security measures must remain relevant and fit for purpose. 

Often companies use their “risk appetite” – something that defines their willingness to undertake a certain risk in order for various business gains, be it launch speed, market share or innovative advantage. These elements must all be considered when thinking about security and applying specific measures, as often security controls are sadly seen as a blocker. 

However, without these controls in place, you could run into scenarios that could have a catastrophic impact on the business and its future. Therefore, finding that fine balance between these elements is crucial for a success. 

The next factors to consider are company culture and security habits – or any habits that might represent a risk behaviour. Workforces will likely adopt the behaviour patterns applied by leaders or by the working “majority”, therefore it is strongly recommended to look into these areas and consider suitable security awareness activities.

One of the newer trends sees movement towards a mindset of “secure by design” which brings consideration of security to the front of anything that companies are doing, especially these producing connected products and applications. 

For some companies, this approach could demand a complete revamp; there remain many companies that still apply security measures only at the end of the process, if at all.

Lastly, companies should consider their capabilities within the workforce and tools available to support the security cause. This needs to be approached with a critical, risk-based approach and with an aim that sets up a baseline of security that fits the organisation overall.

How might evolving data protection and privacy regulatory frameworks in the UK and in the EU influence businesses’ security baselines?

I think it is good that these regulatory frameworks exist and it is also necessary for those frameworks to evolve further. Privacy cannot exist without security measures, therefore the security requirements will develop further, as it is necessary to raise the data protection level up to be able to sustain ever-evolving threat environment. 

I can imagine that going further, the baseline will be consistently increasing and companies will be “pushed” to improve their security posture due to these legal frameworks (and not only privacy-related). 

As professionals are in the heart of development of the regulatory requirements, especially concerning privacy and security, I believe these frameworks will be fit for purpose and they will be continuing to utilise global best practice as their guidance.