23rd March 2020
Read the summary blog below which discusses the moon landing mindset, how cybersecurity became mainstream and how to focus the Board on to your cybersecurity programme.
SureCloud is a long-standing member of the ISF and proud sponsor of the ISF World Congress 2020, as well as a provider of GRC solutions that include an ISF approved IRAM2 solution.
This is my account of the event and some of the key takeaways I identified from the standout presentations.
The first week of March 2020, saw many of the British-based ISF members head to London for the UK ISF Spring Chapter Meeting in the West End. Held three times a year, the ISF Chapter Meetings provide an opportunity for Members to meet and discuss security and risk management issues within their region. This 2-day event provides a peer-to-peer forum for professional networking and exchanging ideas in addition to learning from industry experts and ISF Analysts.
From a personal perspective, this year’s UK ISF Spring Chapter Meeting encapsulated two key areas; looking back/learning from failures and preparing for the future by optimising current programmes, people and processes.
So, to begin at the beginning…
Richard Wiseman sets the scene for the conference with his book “Shoot For The Moon”. Wiseman was the first to interview the mission controllers who got man to the moon, wanting to dive deep into the mindset of success and project management. He takes us through the failures, including the January 1967 fatality, which led to the victory two years later. As well as the Kennedy mindset of “go away and think bigger”, enabling a group of middle American twenty-somethings the chance to achieve the impossible by the end of the decade. The lack of ego, combined with their drive and passion “to do their bit”, allowed for a successful team that spoke only as “we” and “us” rather than “I” and “me”. Wiseman talks of 8 key points to achieving the “Apollo Mindset”. My top three favourites were preparedness, the power of small wins and openness to mistakes. Essentially, getting on with it and working hard without ego stopping you!
I was inspired listening to how the world came together in celebration as they watched the most televised event in history (over 53 million households to be exact). I asked Wiseman about where we are now in this individualist society fuelled by social media likes and shares, would we ever be able to have a similar global moment like this again? His optimistic side hopes we will.
Considering the current worldwide issue of the Coronavirus (COVID-19), it seems as if it may be the perfect time to tap into the 1969 spirit of working together rather than isolating ourselves as siloed countries and regions. Some individuals have already embraced this collective mindset – check out the BBC’s article on acts of kindness during this unique time to get inspired here.
Moving forward into the 2010s, Naina Bhattacharya from Ernst & Young supports Forrester’s claim that the 10s decade was when cyber hit the mainstream. We began in 2010 with the UK National Security rating cyber-attacks as #1 threat which sets the scene for the decade. Cybersecurity then hit the headlines, our silver screens with shows such as Mr Robot and our social media channels including the infamous Facebook and Cambridge Analytica data breach. By 2019, there was a noticeable breach occurring month-on-month including, Marriott’s and British Airways’. This progression caused our mindset to move from ‘if’ to ‘when’ we will have a cybersecurity attack and cybercriminal groups are now operating like traditional professional organisations with holidays, set hours, quarterly goals etc. Despite this widespread coverage and awareness, we ended the decade with cybersecurity still feeling very much like a bolt-on.
How do we evolve beyond this in the 20s to an effective build in cybersecurity programme? Naina advises:
Graham Rance from BitSight reflected as far back as the start of the millennia before bringing us up to today and spoke about how to focus on Board level engagement. He began with a focus on measurement in security outcomes – focusing on the lack of negative outcomes with objective-based measurements. Resulting in standalone compliance processes that do not embed compliance efforts within an organisations business as usual activities. The next phase is the familiar active testing, in the form of Vulnerability Management which is an improvement for communication as it is easier to speak to the Board about progression, particularly if you have a dashboard system to report on progress. Integrated Risk Management was then introduced to the mix, however, the definition and scope of different elements that fall under the IRM umbrella can cause complex communication challenges without the right clarity and reporting often derived from tooling.
BitSight has introduced security ratings to help plug some of these gaps by enabling clear visibility which leads to easy discussions with stakeholders and provides daily updates and alerts. The BitSight offering provides you with accurate, measurable reporting, which reflects the changing vendor risk landscape and your levels of compliance/vulnerabilities against industry recognised frameworks. This handy quantitative reporting feature is now integrated into SureCloud’s Third-Party Risk Management solution. If you’d like to learn more about the exciting joint offering, please click here.