Welcome to 2021 everyone! And what better way to start the year than with a look back at the key issues, challenges and opportunities that the cyber community faced last year. Telstra Purple’s ClubCISO community held an instructive and remarkably upbeat celebration of all things Cyber in December. It was also a fitting way to bring the community together to recognise the impact and progress we have made as a profession.
We wanted to bring you the outputs from that discussion, which involved 84 CISOs from the UK and other European markets, as well as some festive fun and virtual cocktail making. Each session was chaired by a ClubCISO Advisory Board member and involved CISOs from a range of industries.
The first working session began by focusing on the three R’s of 2020:
All the CISOs agreed that these three issues had been the dominating influence on the working lives and role of the CISO, but the emerging force was the last one – Resilience. This chimes true with the latest ClubCISO Information Security Report, which predicted that information security would have to strengthen its resolve and adaptability in 2021. The report predicted: “There is still much to be done; most of all in dealing with emerging risks we didn’t experience last year. The unknown of COVID-19 and other geopolitical risks has created a whole new raft of new security problems. On top of that, while CISOs themselves are starting to come to terms with the impact of stress on their jobs.”
Yes, the COVID-19 situation has been a challenge. This is mostly because the sheer numbers of people working from home has vastly increased the attack surface of our organisations. But there are also positives to be had in the form of rapid digital transformation and the acceptance in even the most hardened old-school boards that technology and security are drivers of business value.
The CISOs predict that this innovation in the way we work and communicate will continue to gain momentum in 2021, but it’s not all about virtual meetings and the blurring of home and work. The CISOs discussed the importance of meaningful human interaction – not only for our wellbeing, but also as a front line of security. After all, if you’re regularly talking to people in an office environment, they’re more likely to flag emails and behaviours of a suspicious nature. In a virtual world, the opposite is happening, as phishing attacks are becoming more prevalent as people lack the support of peers to keep them watchful and safe.
CISOs are continuing to make progress in helping their people and organisations understand the impact on human behaviour and camaraderie on creating better security cultures. As the Information Security Report found, Security Awareness and Training was the number one area where CISOs had made tangible and measurable improvements in 2020.
But a word of warning. Some panelists are seeing organisations that are putting in tools and technologies designed to aid remote workforces, but which are actually implemented without much thought of how people really want to work. You can “empower” people with as much technology as you like, but if it isn’t fit for their purpose, they will simply circumvent it. And then we are beach into the realms of shadow IT and unintentional insider threat.
The very good news is that the CISOs are finding that security budgets are holding up fairly strongly. Where there is tightening, it is also seen as useful as it is forcing CISOs to prioritise and focus their efforts. Security culture will remain a blanket priority across the membership base in 2021, but they also expect to be building even more diverse and talented security teams to broaden the positive impact of security best practice across their organisations.
In summary, the picture the CISOs paint is a very positive one for the year ahead. The profession has shown itself to be adaptable and impactful, leading the way for their organisations’ ongoing (if enforced) digital transformation.
In the next CISO’s View blog, we will tell you what the CISO panellists had to say about motivating and influencing boards, their teams and end users. Heads up that it isn’t easy, but the members have some excellent best practices to share.