Filter by/
Region/  All
Type/  All
Sorted By/  Most Recent

Risk management and measuring cyber security success

By / / In Best practice /
Is no news good news when it comes to cyber threats in your business? What are the hallmarks of excellence in this field? Prior to the forthcoming Cyber Security Summit in London, organiser David Roberts talks to information security expert and speaker Phil Cracknell, who gives insight into the world of information security, cyber security success and risk management.
cyber security success

Phil Cracknell (pictured right), chief information security officer (CISO) at Homeserve, is speaking alongside senior public and private sector figures at the Cyber Security Summit in London on Thursday November 16, shining a spotlight on the challenges facing cyber security practitioners.cyber security success

He is keen to bring focus onto the lack of quantification in cyber security, pointing out that “what good looks like is becoming increasingly important” and, as such, the ability to define what construes ‘good’ cyber security takes priority.

Phil has long made strides in developing co-operation between CISOs with a number of purposes, one of which is the quantification of cyber security standards. Initially focusing on ‘anonymous surveys of CISOs to fill the void of information regarding breaches’, this work has since evolved into The Metrics Project.

The Metrics Project focuses on defining the mechanisms and language used to measure the effectiveness of information security, with more than 50 UK CISOs involved. As the collective work of more than 350 CISOs over its current lifespan and purposely avoiding vendors and analysts thus far, the Metrics Project focuses on developing something that will deliver true value to the businesses of those involved, in Phil’s words: “By the CISO, for the CISO.”

Measuring and validating

Phil emphasised the role of metrics as “very much the key to our future” in measuring and validating the effectiveness and cyber security success: “Businesses are waking up to the fact that they need metrics and risk indicators that our board, audit committees and non-executive directors are able to understand.”

Promoting a ‘report what you should, not what you can’ mind-set from organisations, Phil suggests metrics have the ability to affect business practice in a number of ways: “Metrics can demonstrate effectiveness, measure exposure and agility, test organisation culture, pinpoint responsibilities and highlight levels of investment,” all of which provide a great insight into a sector and tangible, measurable indicators of cyber security suitability.

Having been in cyber security for more than 20 years, the quirks and trends of the industry are no longer a mystery to Phil and, looking forward, he is able to offer insight not only on the current state of the industry, but also into where this fast-paced and largely unpredictable industry may be headed.

‘Soft’ skills also crucial in cyber security success

Suggesting the current focus by security providers on product and technology may not be the optimum strategy going forward, Phil draws attention to the ‘softer’ skills involved in effective cyber security: “Security leads are still procuring solutions that don’t address their top issues or risks. Good risk management will avoid this and, of course, a solution for a risk doesn’t always have to involve buying hardware, software or a service at all.”

Instead, Phil advocates an introspective business model, with training of staff and improved process management.

Casting a glance to the future, Phil addressed the rising trend in both work and society of ‘bring your own device’ and the risks associated with such a trend: “With our corporate perimeters expanding and even disappearing entirely and the prevalence of personally owned devices in our work environments, businesses should concentrate on protecting the contents, not the containers, and identify critical data.”

Phil Cracknell will talk as part of the Cyber Security Summit at 3.30pm on Thursday November 16, with his address Measuring Success: Metrics for Cyber Security Strategy. He is speaking alongside senior public and private sector figures, including Mark Sayers, deputy director of Cyber and Government Security at the Cabinet Office, and Chris Ulliott, chief information security officer at the Royal Bank of Scotland.

David Roberts
Author: David Roberts
Event director at GovNet |

David Roberts is event director at GovNet, organiser of the Cyber Security Summit and Expo, co-located with the GDPR Conference, being held on November 16, 2017 at the London Business Design Centre. The summit and expo is the UK’s largest one-day event dedicated to cross-sector learning for cyber preparedness across government, the public sector, critical national infrastructure and industry. Connecting 2,000 senior-level business, security, technology and data leaders – the event provides a unique platform to debate national leadership priorities and share best practice solutions to achieve cyber resilience in a fast-moving digital world. After seven successful years as the Cyber Security Summit, this year the event relaunched as the Cyber Security Summit & Expo, boasting more content stages, more attendees and more opportunities to meet with senior decision-makers from across the public and private sector.

Leave your thoughts

Related reading

  • Keep up to date with global best practice in data driven marketing

  • This field is for validation purposes and should be left unchanged.