Doing security is easy, but there can be some specific challenges in a large corporate company.
Delivering the opening keynote at BSides Scotland in Glasgow, CISO Paul Midian said that doing security can be easy generally, but for it to “be a thing in a large corporate is different”. He claimed that the “blindingly obvious is overlooked” and in his previous positions as a penetration tester and a consultant he overlooked them.
These included getting budget and knowing what to do with it. Midian said that when you figure out what you want to do and what it costs, you need money to do it.
“When I started, a large part of the security budget sat in IT so I had to take money away from them and this creates the wrong type of friction as their budget is compressed anyway.”
Having got the budget, then you need to procure and Midian claimed that this is “particularly difficult” when dealing with procurement, who will need to compare to other available products for the best price, and particularly so when you want to buy a piece of technology from a small start-up with no competitors.
In terms of people, Midian said that this was one of the biggest changes from consulting to client work, as on the consultant side it is relatively easy as the review is about keeping client happy, while on the client side there is not a common set of drivers and security risk is another thing the board is managing.
He also said that articulating what you want to do is pretty critical, and as he does not work for a security company “99% of people forget about security within 24 hours and that is why I reiterate why culture is critical.”
“I am a believer in humans being the cause of every security problem and humans attack us and security is fundamental,” he said. “I learnt that getting stuff done is hard, as the business does do dumb things.”
Pointing at some common questions he gets asked about cybersecurity, he detailed these as the key reasons people state for not doing security, but that things were getting better:
- We have to keep the business running
- This will make us a bunch of incremental revenue
- The CEO has asked for this personally
- We’ve done it that way before
He concluded by looking at other issues, such as how fast vulnerabilities are fixed, and how he was looking to start an agile approach to inject pace into the process and not have issues “caught in queues”.
He also encouraged understanding of how pen tests happen on the client side, and to know your client and understand when their busy cycles are.
Midian concluded by saying: “The role of the CISO is to represent security to the business and the business to security.”