Understanding the problem
I read with interest a post by Elliot Atkins, a friend and former colleague. You can read his post here. I agree with all of his points, but there is one bit in particular I want to dwell on today, as I think it has wider applicability.
Quoting; “about 5 years ago, cyber got cool. Or more accurately, cyber got money. And with money arrived an influx of senior bureaucrats, with little to no knowledge”
That is an astute observation, with wider implications. I remember the days before cyber was cool, and when only a small group of us in government cared about it. Hacking never made the headlines, and the problem was considered a niche, technical one. That obviously wasn’t an ideal state, but it was one that was reflected across all sectors. It certainly isn’t true now – cyber security is a board level topic and LinkedIn has never had more people with ‘cyber’ in the job title.
But therein lies something of a problem. Whilst it is good that cyber security is taken seriously, and that money is being spent, the people with knowledge and experience have not yet percolated through to senior ranks. The senior bureaucrats of Elliot’s article, and board members and senior managers away from the civil service, frequently have little or no security background, but are expected to understand the risks and make decisions on spending. One of my frustrations as a civil servant was having to address concerns from on high on the back of scare stories from salesman or widely inaccurate claims from journalists – because with no cyber security experience they lacked the ability to distinguish the genuine risk from the FUD. It’s true away from the civil service too – on my training courses I often meet people who want to be smarter customers of the cyber security consultancies they use but lack the knowledge to ask hard questions. Before Christmas I ran a seminar for senior risk managers in the financial sector, and found the same thing – they didn’t have the background to understand what were credible risks, or to evaluate solutions.
So what’s the solution to this? Over time hopefully people with a cyber security background will become senior managers, or senior civil servants. Senior managers and board members also should build teams of people with the background knowledge, and who they know they can trust to be straightforward and honest when addressing cyber security, and not to just bid for expensive tools. Finally, but by no means least, training. Provide training for your senior managers, and your board. It does not have to be days and days (they won’t have the time), but a short session that leaves them understanding the real risks to your organisation, and as well as what practical solutions might look like would be invaluable.
If you’d like to discuss developing a course like that for your board, please get in touch.
Find us on twitter, or use the contact form.
Thanks for reading