SRM Blog

Who’d want to be a University CISO?

Spare a thought for the University CISO: ‘As a group, CISOs live on a knife’s edge and do not sleep very well. They know that a breach is inevitable.’ So said William Hugh Murray in an Open Letter to Target CISO Candidates. It may sound bleak but new CISOs who are half way through their first academic year might, however, recognise its reality.

Given the fact that they are responsible for any breach of the University’s defences, being a CISO undoubtedly carries certain implicit risks and pressures. In the wider business world, the Ponemon Institue researchers estimate that the CISO’s average tenure is just 2.1 years and also revealed that 24% of respondents said that being a CISO was the ‘worst job they ever had’. Not the best advertisement for the role, but there is a positive here because in understanding the issues, we have also come to understand the solution.

In essence, the problem is that the CISO job description is changing. It’s no longer enough to be an expert in information technology; the CISO of 2016 is also expected to be a business leader, IT leader, finance leader and an excellent people influencer and navigator. It’s a tall order and one that few have the qualifications or experience to fulfil without additional professional support.

Yet, although the evolution of the role is undoubtedly underway, only a few Universities have also recognised the benefit to be gained from ongoing professional CISO support. Just as the finance department is not expected to function without input from professional accountants, nor the legal department without access to specialist solicitors and barristers, so the CISO benefits from a collaborative relationship with information security specialists whose role it is to support, enhance and resource the CISO function within the University.

The uncertainty of Brexit, the certainty of GDPR and the responsibilities of the CISO

As Britain navigates its way through the choppy waters of Brexit, there is a great deal of uncertainty about exactly what form our new relationship with Europe will take. In many ways our trading relationships will change; this is the inevitable uncertainty. But on one level the situation is significantly clearer: UK businesses will still be required to comply with EU law if they wish to maintain any trade links with European customers. So the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018 will still apply to most of us.

But the trouble with certainty is that it is rarely ever that simple. When it comes to our relationship with Europe it appears that the words of John Allen Paulos, an American Professor of Mathematics apply: ‘Uncertainty is the only certainty there is’. So where does this leave the CISO, whose responsibility it is to ensure compliance with not only GDPR but also any future UK and EU regulations? Well the clever mathematician went on to say that ‘knowing how to live with insecurity is the only security.’ And this is the key.

By accepting a degree of insecurity and establishing a means by which to manage it, a CISO can maintain compliance and provide strategic direction for the company’s information security agenda. The following steps will help to navigate this difficult course.

  1. Continue to steer towards whole company compliance with the existing information security standards like PCI DSS, Cyber Essentials, ISO 27001 and ISO 9001. Embedding these standards within your business will ensure you are well placed to deal with new challenges on the horizon.
  2. Work with an established professional team which will not only help you set your course but will also support, enhance and resource your information security strategic agenda. As industry experts they will know about impending changes and will ensure your compliance objectives take these into account.
  3. Make sure everyone on your ship is heading in the same direction. To do this you will need to exert board level influence. With access to high level of technical expertise and strategic guidance the CISO will be able to articulate the state of information security to the company stakeholders and lead employees, accessing company-wide support and making the case for adequate resource. This will set you up to be flexible and responsive to change.

SRM’s VirutalCISOTM has been developed to provide a cost effective bespoke solution to organisations without a CISO or where a board level strategic adviser is required to ensure Information Security remains high on the board agenda. The SRM VirutalCISOTM has access to an extensive portfolio of professional services to help embed Information Security throughout your organisation.

New face in cyber crime investigation

There is a new face at the forefront of investigating cybercrime in the UK. Newcastle-based Security Risk Management has achieved another success for its SRM Academy Programme. With over five years’ industry experience and six months of preparation, 26-year old Mustafa El-Jarrah has become one of the youngest Payment Card Industry (PCI) Qualified Security Assessors (QSA) in the world.

As a PCI QSA, 26- year old Mustafa has also been accepted by the PCI as a Payment Card Forensic Investigator (PFI). Only six companies in the UK operate in this field and Security Risk Management (SRM), which Mustafa joined in 2015, is one of these.

The SRM Academy was established to address the national shortage of top level qualified cyber security consultants. Delivering elements of cyber security training to colleges in the North East, Newcastle-based SRM Ltd also employs individuals with potential and then provides them with training in house. SRM Ltd now boasts the largest number of QSAs of any cyber security company in Europe.

Brian Fenwick, Director, says: “We are one of only 18 companies in the world accredited by the Payment Card Industry to investigate breaches of credit card data, and one of only six in the UK.  As an aspect of maintaining this standard we prioritise recruitment and training. We run an internal training programme as well as ensuring that those studying to become QSAs attend numerous client sites with an experienced QSA to assist with the practical elements of the course.”

In his new role, where instances of data theft occur Mustafa will be called upon to deal with the investigation of major incidents. Forensic investigation work often deals with various types of online theft. Either of significant sums from online transactions or in terms of personal data theft. Both forms of theft put individuals at risk of a host of other fraud issues.

Once the source is identified, remedial action can be taken swiftly to return a business to an operational level. SRM Ltd consultants will advise on effective damage limitation and work in partnership with the company involved to re-establish normal trading as quickly as possible and support the achievement of PCI DSS Compliance as required.

The technology gap which leaves organisations vulnerable to attack

While all of us are aware of the need to protect our organisation’s technology from potential threats and security breaches, few are fully aware of the gaps that exist which leave us vulnerable to information security attack.

Indeed, most of us have invested in a combination of technical services and technology to process the information needed to do business, hoping we have taken the steps necessary to establish a line of defence against potential attack. The harsh truth is, however, that in many cases, these products and services were not designed to work with each other and experience shows it is normally the gaps between these tools and services that lie at the root of most of the security challenges facing businesses and organisations. This means that our investment is often undermined and crucially we are often unaware of this vulnerability until it is too late.

To fill this gap, we need someone who understand the current information risk environment in which the business operates and who can take responsibility for all strategic information security goals – the role of CISO – with proven experience and authority to perform the function for their business or organisation. This individual needs to inform, influence and support the organisation’s board, shareholders or partners and requires knowledge and resources to engage their full support. This applies to micro businesses through to large companies and institutions.

Whatever the size of an organisation, one individual needs to be responsible for information security and that person is usually the Chief Information Security Officer (CISO). In smaller companies, this is likely to be one of a number of roles held and may not realistically be the focus. Yet the implications of a security breach are far reaching, both in terms of finance and reputation, so the CISO role is a vital one.

Few would ever expect to manage the full accountancy or legal function of an organisation in house, relying on expert professional guidance and resource to deliver effective solutions. It is within this context that SRM has developed VirtualCISO. In reality this service goes above and beyond the simple task of filling the gap. But it is not intended to replace or undermine the roles of Chief Technical Officer (CTO) or CISO in any way, rather enhancing, resourcing and advising these officers on how best to manage all aspects of Information Security Risk.


If Brexit means Brexit, what does GDPR mean?

Politicians do tend to favour soundbites and Theresa May is no exception. So when she said that “Brexit means Brexit” some nodded their heads as if this simple statement explained everything. Others, and in particular Chief Information Security Officers (CISOs), may have found this statement inadequate when it comes to explaining exactly how the Brexit vote affects their responsibilities for data protection.

It’s not just soundbites which populate the post Brexit vote world, however; acronyms also feature heavily and the most important of them all is GDPR. The General Data Protection Regulation was drawn up pre-Brexit but is still on track to be adopted in the UK in May 2018 regardless of the timing of Britain’s exit from the EU.

The UK government will have the option to adopt it; but regardless of whether it does or not, GDPR will still apply to all organisations or businesses that hold or handle the data of any citizen within the European Economic Area (EEA). This means that any organisation handling EEA personal data and doing EEA business will be regulated under GDPR by a ‘supervisory authority’ in the EEA.  This would be on top of any data protection laws in the UK.

If GDPR is enacted in the UK, which seems likely, it will replace the current Data Protection Act (DPA) 1998. If it is not then tighter privacy laws which reflect the rules contained within the GDPR are still going to come into effect, perhaps in the form of an enhanced DPA. So there really is no escaping the inevitable and it is important that organisations start the plan for the adoption of the GDPR or its equivalent from May 2018 onwards or face the consequences. Because in short, what GDPR means is business. It imposes mandatory high tempo reporting of breaches and also carries significant fines for those organisations who fail to fulfil their obligations. These can be up to 20m Euros or 4% of global turnover.

As a first step, organisations should review and update their current administrative and technical controls. Most importantly under GDPR’s accountability heading, organisations need to demonstrate information security compliance; and under GDPR’s mandatory breach reporting requirement, solid detective controls need to be implemented.

If you need help, SRM provides three types of service. Our Virtual CISO service (VirtualCISOTM) has been developed to provide a board level / SMT strategic advisory role and provides a cost effective route to accessing the full range of SRM professional services supporting, resourcing and advising on all practical and strategic aspects of Information Security including GDPR compliance. We also now provide VirtualISM to support and enhance the role of Information Security Manager and provides the umbrella under which we deliver our delivery consultants expertise, providing you with an experienced ‘active’ resource to effectively deliver your initiatives and projects.

Our portfolio of classic compliance, consultancy and incident response services are all available as single or multiple service offerings tailored to your specific requirements. The blend of a VirtualCISOTM and VirtualISM can provide a truly value add service to an organisation which perhaps cannot or does not wish to directly employ either role. In short, we can provide the strategic direction and support combined with experienced delivery consultants you need to help you seize the initiative in this Brexit world.