Changing the cybersecurity behaviors of thousands of employees at an enterprise scale is no easy feat, but Simon Hodgkinson (with 35 years in the IT and security field) has done it before. In a recent RE: Human Layer Security Podcast episode he explained why the best security is invisible to employees, and what makes the job of the CISO is harder than ever.
This whole podcast episode is a must-listen for any security professional, but Simon’s top three takeaways can be found below.
Cyber threats have grown exponentially in the last 35 years, but organizations have struggled to keep up
At the start of my career, cybersecurity wasn’t even a thing. Cyberattacks did occur in the 1980s but they were few and far between. Today, cyberattacks are a daily occurrence regularly seen in the mainstream press. A report by the Department for Digital, Culture, Media, and Sport in the UK stated that in the last year, almost half of businesses and a quarter of charities have had cyber breaches or attacks – so there has been a huge shift over the past few decades. To many, this increase in cybercrime has come as no suprise. Cybercrime tends to have a very low cost of entry, with a low risk of being caught, and offers pretty high rewards… so it’s easy to see why someone might want to be a part of that.
But despite the visibility of attacks has increased, we still don’t really value the human side of cybersecurity enough. Typically, cybersecurity has always been buried in IT and tech, with technologists throwing tech at problems. So when cybercrime expanded exponentially, organizations were caught out, and only the top organizations or the ones with strict regulatory requirements responded well.
Subscribe for monthly updates
The role of the CISO has changed hugely over the past decade and is set to change even more
The creation of the CISO was a very technical response to the rise of cybercrime. Initially, the role focused on the IT side of the problem, but it is now hugely varied.
Cybercrime is as much a human problem as it is a technology problem, so there is a whole cultural and behavioral-change side to the CISO role.
There is also the regulatory side – many CISOs need to oversee the whole governance and compliance regulatory landscape. Further to this, legalities need to be considered to ensure things like business continuity. All of these branches are no longer in the realm of just the IT department. So, the role of the CISO is now much broader than just technology, and the position needs to be elevated to reflect that.
In ten years time, the role will have grown even bigger in response to exponentially growing threats. Cybersecurity conversations will need to be had at board level very frequently – maybe even once a week. Factors like globalisation will also increase challenges further. The role is fast becoming an enormous, 24/7 job, and the question I have at the forefront of my mind is simply: In ten years time how many people will want to be a CISO?
The ultimate goal in cybersecurity is to allow people to do their job securely without seeing security at all
You have got to put people at the heart of security. The role of security is to enable the organisation to achieve its objectives. So, if your security measures aren’t working for the people then they are not working at all. Historically, part of the challenge has been that we have made security measures quite hard to execute. For instance, when multi-factor authentication was first rolled out there were so many steps – it was just difficult. The same goes for secure enclaves for highly sensitive data, which were very difficult to get in to. People need to get their jobs done, and we didn’t think about that human factor.
This thinking has led us to the notion of embedded security – if you can allow people to do their job securely without seeing security at all, that’s a fantastic outcome.
For more from Simon on the role of the CISO making security work for employees, listen to our Tessian Podcast episode, here.
