Phil Cracknell (pictured right), chief information security officer (CISO) at Homeserve, is speaking alongside senior public and private sector figures at the Cyber Security Summit in London on Thursday November 16, shining a spotlight on the challenges facing cyber security practitioners.
He is keen to bring focus onto the lack of quantification in cyber security, pointing out that “what good looks like is becoming increasingly important” and, as such, the ability to define what construes ‘good’ cyber security takes priority.
Phil has long made strides in developing co-operation between CISOs with a number of purposes, one of which is the quantification of cyber security standards. Initially focusing on ‘anonymous surveys of CISOs to fill the void of information regarding breaches’, this work has since evolved into The Metrics Project.
The Metrics Project focuses on defining the mechanisms and language used to measure the effectiveness of information security, with more than 50 UK CISOs involved. As the collective work of more than 350 CISOs over its current lifespan and purposely avoiding vendors and analysts thus far, the Metrics Project focuses on developing something that will deliver true value to the businesses of those involved, in Phil’s words: “By the CISO, for the CISO.”
Measuring and validating
Phil emphasised the role of metrics as “very much the key to our future” in measuring and validating the effectiveness and cyber security success: “Businesses are waking up to the fact that they need metrics and risk indicators that our board, audit committees and non-executive directors are able to understand.”
Promoting a ‘report what you should, not what you can’ mind-set from organisations, Phil suggests metrics have the ability to affect business practice in a number of ways: “Metrics can demonstrate effectiveness, measure exposure and agility, test organisation culture, pinpoint responsibilities and highlight levels of investment,” all of which provide a great insight into a sector and tangible, measurable indicators of cyber security suitability.
Having been in cyber security for more than 20 years, the quirks and trends of the industry are no longer a mystery to Phil and, looking forward, he is able to offer insight not only on the current state of the industry, but also into where this fast-paced and largely unpredictable industry may be headed.
‘Soft’ skills also crucial in cyber security success
Suggesting the current focus by security providers on product and technology may not be the optimum strategy going forward, Phil draws attention to the ‘softer’ skills involved in effective cyber security: “Security leads are still procuring solutions that don’t address their top issues or risks. Good risk management will avoid this and, of course, a solution for a risk doesn’t always have to involve buying hardware, software or a service at all.”
Instead, Phil advocates an introspective business model, with training of staff and improved process management.
Casting a glance to the future, Phil addressed the rising trend in both work and society of ‘bring your own device’ and the risks associated with such a trend: “With our corporate perimeters expanding and even disappearing entirely and the prevalence of personally owned devices in our work environments, businesses should concentrate on protecting the contents, not the containers, and identify critical data.”
Phil Cracknell will talk as part of the Cyber Security Summit at 3.30pm on Thursday November 16, with his address Measuring Success: Metrics for Cyber Security Strategy. He is speaking alongside senior public and private sector figures, including Mark Sayers, deputy director of Cyber and Government Security at the Cabinet Office, and Chris Ulliott, chief information security officer at the Royal Bank of Scotland.