If organisations aren’t willing to take risks, there will be plenty of others who are, and ultimately your business is going to be behind your competitors if you do not too.” Lee Barney, Head of Information Security at Marks and Spencer.
How to manage risk is fast becoming a key attribute for the new breed of CISOs. Following his keynote session on Next-Generation CISOs at InfoSec 2016, we spoke with Lee Barney, Head of Information Security at Marks and Spencer to ask him how it’s done.
In this Q&A he offers candid insight into risk management, and shares his views on the dilemmas of security vs agility in digital businesses today.
What’s been the biggest game changer for businesses in terms of security?
The rate and pace of change itself has been the biggest game changer. The one thing I tell people is that you can’t get in the way of change it’s going to happen anyway. So many people try to block to change rather than embrace it, and they end up moving back from the position of understanding what it’s all about, to shutting it out – effectively, not doing anything. Generally, that’s about a fear of risk, but ultimately, doing nothing is the riskiest position of all.
“Why? Well, the reality is that if organisations aren’t willing to take risks, there will be plenty of others who are, and ultimately your business is going to be behind your competitors if you do not too. It might be a smaller player who doesn’t know or doesn’t care about risk decisions or want to factor in contingency or response plans because it’s too slow, but if they’re taking your sales, you’re at a loss already. My point is, that neither solution is correct, you shouldn’t ignore risk and you should fear it, just embrace it, face into what could go wrong and plan around it.
What is the biggest opportunity for CISO’s today?
The biggest challenge CISOs have is ironically also the biggest opportunity; the cloud. We want to use cloud because it’s cost effective, scalable and quick. The biggest issue is that in order to make it so, it has to be shared.
I don’t doubt that the big cloud providers are more than capable of owning their own security but for many it’s about the unknown consequences. Even so, that’s just a fact of life nowadays, given the threat environment we live in, and shouldn’t put CISOs off investing in cloud technology.
What is the role of the CISO in making IT purchase decisions?
The job of the CISO is to research and present the facts. Make sure your business understands the risk and ensure the data owners sign off on them. We face risks in life all the time – it’s about whether we take the time to truly understand what might go wrong and sensibly make decisions about how to mitigate it. If your business will benefit from that product, security shouldn’t be a worry – it’s about objective risk assessment. It’s up to you as a CISO to describe the threat, the impact and put it up to the rest of the organisation to accept it. It can be hard to get people to accept risks, but it’s not nearly as difficult as it used to be!
In my experience, these threats very rarely happen. It doesn’t mean they don’t happen but it’s very rare. Having a good plan in place in case of disaster helps a lot, but the key thing is right at the start: don’t scaremonger, present the facts, and get your stakeholders on board.
What advice do you have for CISO’s?
A lot of CISOs have resisted change because they see risks that just don’t exist. It’s a confirmation bias: people hear something, and hear it again and before you know it, they’re looking for the problem everywhere. That’s happening a lot in cyber security at the moment, and I don’t know where it will end.
My advice to CISOs is to think clearly: which risks are actually pertinent to my business – and how likely is it to really happen? The role of a CISO is to simply present the facts.
As part of this it’s important to identify your priorities – they’re not the same in retail, as for government, for example. Unless you understand who and what might do your business harm, you can’t protect it. If you understand exactly who might break into your systems and why, you can clearly identify whether or not a technology represents an avenue of attack or an opportunity for your business. For a retailer, the benefit of the cloud on its own far, far outweighs the risk.