Taking place on October 18 and 19 at EcXel London, #RISK London addresses the issues impacting organisational risk today, from Governance, Risk and Compliance (GRC), to Environmental, Social and Governance (ESG), organisational culture, and much more.
The event builds on the success of #RISK 2022, allowing organisations to examine the cumulative nature of risk, unite GRC specialities and share views with subject-matter experts.
Susanne Bitter is Head of Regional Strategic Alliances at Cyber Security Forum Initiative. A certified and passionate Information Security and Data Privacy professional, Susanne leverages over 15 years industry experience.
Susanne will be at #RISK London to debate what “reasonable” means when it comes to the security measures that organisations need in place to ensure compliance and to achieve robust levels of protection.
What Are ‘Reasonable’ Security Measures? It Depends.
Thursday 19th October 2023, 15:00 - 16:00pm BST
Below, Susanne talks more about her professional journey and the themes of her #RISK London session.
Could you briefly outline your career so far?
From early age, I have been attracted to world of 1s and 0s. So, after my long-term career in top management of Samsung I made decision to progress further where my passion and love lay: the digital world and all things related to information security, cyber security and privacy.
Since then I have had the privilege of working as a contractor within the most interesting and fascinating private and public companies on various projects and roles. I have also served at non-profit organisations, such as CSFI, BCS, The Chartered Institute for IT and ISACA London chapter.
From time to time I also teach various courses related to information security, risk management, business continuity and disaster recovery, which allows me to raise the knowledge of individuals in given areas and contribute that way to safer digital world. I am also a candidate for a PhD in Information Security at Royal Holloway University.
What are the primary factors to consider as companies bid to establish “reasonable” levels of security?
It all starts with the company on its own and recognising what the organisation values and requires to protect. This is not a small task and must be considered on a continual basis, as the environment is endlessly changing and the applied security measures must remain relevant and fit for purpose.
Often companies use their “risk appetite” – something that defines their willingness to undertake a certain risk in order for various business gains, be it launch speed, market share or innovative advantage. These elements must all be considered when thinking about security and applying specific measures, as often security controls are sadly seen as a blocker.
However, without these controls in place, you could run into scenarios that could have a catastrophic impact on the business and its future. Therefore, finding that fine balance between these elements is crucial for a success.
The next factors to consider are company culture and security habits – or any habits that might represent a risk behaviour. Workforces will likely adopt the behaviour patterns applied by leaders or by the working “majority”, therefore it is strongly recommended to look into these areas and consider suitable security awareness activities.
One of the newer trends sees movement towards a mindset of “secure by design” which brings consideration of security to the front of anything that companies are doing, especially these producing connected products and applications.
For some companies, this approach could demand a complete revamp; there remain many companies that still apply security measures only at the end of the process, if at all.
Lastly, companies should consider their capabilities within the workforce and tools available to support the security cause. This needs to be approached with a critical, risk-based approach and with an aim that sets up a baseline of security that fits the organisation overall.
How might evolving data protection and privacy regulatory frameworks in the UK and in the EU influence businesses’ security baselines?
I think it is good that these regulatory frameworks exist and it is also necessary for those frameworks to evolve further. Privacy cannot exist without security measures, therefore the security requirements will develop further, as it is necessary to raise the data protection level up to be able to sustain ever-evolving threat environment.
I can imagine that going further, the baseline will be consistently increasing and companies will be “pushed” to improve their security posture due to these legal frameworks (and not only privacy-related).
As professionals are in the heart of development of the regulatory requirements, especially concerning privacy and security, I believe these frameworks will be fit for purpose and they will be continuing to utilise global best practice as their guidance.
Don’t miss Susanne Bitter discussing these issues in depth in the #RISK London panel debate: “What Are ‘Reasonable’ Security Measures? It Depends”.
Security laws and frameworks require security teams to take a risk-based approach to defending against threats, determining the “reasonable” level of security relevant to the context in which they are operating and the systems they’re trying to protect.
Determining what is “reasonable” is no easy task, sometimes requiring input from several departments and careful resource allocation. But getting this right is a crucial element of demonstrating your company’s compliance.
In this session, security experts and experienced practitioners will share their views on how to determine a baseline level of security that meets the company’s obligations and provides effective protection against inbound and outbound security attacks.
Also on the panel:
- Henry Jiang, Chief Information Security Officer, Diligent
- Luke Crosby, Deputy CISO, Ministry of Justice UK
- Adam Low, CTO, Zivver
- Samantha Humphries, Senior Director of Security Strategy, International, Exabeam
The session sits within a packed two-day agenda of insight and guidance at #RISK London, taking place on October 18 and 19 at EcXel London.
The event unites thought leaders and subject matter experts for a deep-dive into organisational approaches to handling risk. Content is delivered through keynotes, presentations and panel
Session: What Are ‘Reasonable’ Security Measures? It Depends.
Location: Security Theatre
Time: 15:00 – 16:00pm GMT
Date: Thursday 19 October 2023