On the third and final day of InfoSecurity Europe 2022, Sarb Sembhi, global CISO of Aireye, moderated the keynote panel discussion titled ‘Boosting SME’s Cyber Security Strategy.’ Sembhi was accompanied by fellow experts Milos Pesic, vice president of InfoSec & CyberSec at Marken, Diane Abela, chief information security officer at AccuRx and Vincent Blake, VP, digital technology security officer & GRCA at Pearson.
The panel shared insights into the steps small and medium-sized enterprises (SMEs) can take to defend against cyber-risks and threats, protect their customer’s data and respond to an incident with limited budget and resources. The session addressed practical strategies to implement security on a budget, evaluating the risk landscape to identify threats to SME businesses, analyzing the key requirements of GDPR and what they mean for SMEs and identifying the key steps to compliance and understanding the consequences of failing to comply
The panel began by emphasizing the importance of a company’s culture in boosting an SME’s cybersecurity strategy, stating that building a culture of trust is vital. The panel agreed that certain organizations make the mistake of seeing security more as a “blocker,” establishing a culture of “distrust” by implementing heavy-handed security methods such as “padlocking computers to office desks.”
An effective cybersecurity strategy focuses on three central areas, stressed the panel of speakers:
- Creating the right culture
- Recruiting the right people
- Implementing the appropriate processes, tools and access controls to enhance SME cyber-hygiene
In harnessing the right tools for cybersecurity, they need to be aligned with a company’s processes and policies to work effectively, emphasized panelist Milos Pesic.
The discussion then shifted focus to the question of hiring, specifically the most desirable skills and expertise. While technical skills are important when hiring into the cybersecurity and information security space, soft skills are also key, stated Pesic. Abela told the audience that recruiting “mission-driven” individuals with a “clear passion” is also integral, with the caveat that technical skills remain key. Abela qualified this point, adding that greater emphasis on experience rather than qualifications could also benefit a company’s hiring strategy and resilience. Blake resonated with the panel’s views, further underscoring the need for applicants to have curiosity and passion, believing that these attributes can be ascertained in the interview process by asking candidates about their own real-world projects and which of these they’re most proud of doing.
Moderator Sembhi added to this discussion, commenting that a company shouldn’t be too technically-minded since it needs to see the larger strategic picture. Additionally, Blake reemphasized the necessity for businesses to take on people with social and business skills to complement an organization’s technical employees. While Pesic agreed that a workforce needs a cross-section of talent, small companies should consider optimizing more for technical skills in recruiting and heightening their cybersecurity.
Guided by questions from the audience, the panel moved to a discussion of the basics of good SME cyber-hygiene. Abela noted that cybersecurity “visibility” within an organization is paramount, as well as ensuring initiatives like awareness programs are a regular part of a company’s operations. The panel also suggested the value of conducting security assessments in understanding any possible vulnerabilities, asking fundamental questions like “where are we now?” and “where are the gaps?” being especially imperative.
Further audience questions focused on business stakeholders, with Abela believing companies need to articulate to shareholders the importance of security and its impact on shareholder value. Vincent Blake asserted that there’s a need to “avoid talking blandly about cybersecurity” and harness more of a story and narrative in underlining its importance. Milos Pesic closed this part of the discussion by suggesting a deemphasis of the hyper-negativity that often surrounds cybersecurity, including the scale of the issue and frequency of attacks, and to come in from a more positive perspective.
Wrapping up the session, moderator Sembhi addressed the question, “what security do you expect SMEs to have in place already, and what could they do better?” with the panel advocating for robust access rights management, endpoint security, education and the cultivation of a “secure mindset.”