From: Risk.net

Author: Miranda Alexander-Webber

Source: Operational Risk & Regulation | 23 May 2013

MoD’s former head of cybersecurity says tone needs to be set from the top

Senior executives need to set the correct tone from the top to tackle the cyber threat to their organisations, a conference was told today.

Jonathan Shaw, a cyber adviser at Digital Barriers and former head of the defence cybersecurity programme at the UK Ministry of Defence (MoD), today told the Digital Threats 2013 conference in Brighton that leadership was key.

“If you mention cyber to most people they instantly switch off; they think it’s a technical issue, they think it’s for the IT department, they leave it to someone else. Wrong answer,” said Shaw. “This is a risk problem, it needs to be managed and it takes leadership.”

Leadership is needed to ensure the personnel within a firm apply the correct procedures and management tools, Shaw said.

“It also takes leadership to generate within your company the sort of loyalty that will keep people loyal to their organisation and to be sensible about how they operate in your cyberspace.”

Shaw told the conference he had to convince the chief of defence staff at the MoD to stop using personal devices.

“It was only when I got him off his social media in the MoD that I could actually with any moral credibility get people further down the food chain, i.e. everybody, to stop taking their personal devices into what should have been a secure MoD environment.”

Using the correct language to communicate the risks to senior executives is also essential.

“In the MoD I had the same problem trying to get people to take the cyber risk seriously,” Shaw said. “I spoke to them in their language about their business risks and they got it and they started investing in cybersecurity.”

Incentives to align security with business needs are emerging. The Information Assurance for Small and Medium Enterprises (IASME) consortium has established a self-certification scheme with insurer Sutcliffe & Co.

“If you get one of these IASME certifications you get a reduced premium on your cybersecurity,” said Shaw. “So, what we’re starting to see is the business world getting on side with incentivising people to good behaviour in cyberspace, aligning our security and our business incentives in a way that surely every chief executive and chairman will understand. That seems to me a really optimistic sign of how we’re going to risk-manage this sort of problem in the future.”

Farshid Kapadia, head of information risk management at Tata Consultancy Services, agreed that senior executives needed to promote the correct culture within an organisation.

“It really comes down to whether the senior management promote a certain level of privacy within the organisation themselves,” he said.