Can a CISO realistically wrap their arms around a company and assure its security? Paul Watts, CISO of Network Rail, looks at the this from the side of the large business.
I’ll be honest; I do look at CISOs of small-but-perfectly-formed organizations from time to time, and wish I could wrap my arms around my own ‘as easily as they must be able to.’ Of course, I have no scientific basis for that assertion, but permit me to elaborate on a few areas of challenge that face larger, more diverse organizations such as mine.
My organization is diverse, and it is certainly large. Network Rail consists of over 35,000 staff and contractors, 5500 suppliers, hundreds of properties and one of the largest private telecommunications networks in the UK. It also encompasses thousands of information and operational technology platforms and an infrastructure comprising more moving parts than is humanly possible to count, scattered liberally across the UK. All of this, coupled with our devolved operating model, makes the challenge of maintaining effective oversight of our security posture exciting and challenging in equal measure.
So can one CISO realistically wrap their arms around something of this scale? In our case, it wasn’t practical and we therefore have two – one for the corporate and IT interests of our organization (me), and one for our telecommunications organization and Digital Railway transformation program. We also have an operations security manager and a professional head of cybersecurity. Between us and our teams, we just about cover all the bases.
Most large organizations will struggle to keep a low profile. In providing a key transport infrastructure for 4.5 million passenger journeys per day, our high public profile is inevitable. Depending on who you are, your public profile in some small way can influence threat opportunities and thus create potential headaches for the organization’s CISO.
In the era of social media, it pays to have an ear listening out for who is talking about you and why. As well as identifying and defeating potential opportunities for business disruption, you are also taking steps to actively manage your brand’s digital footprint and reputation. It gets you on the front foot far quicker than waiting for the first DDoS attack or that call from your media relations team, certainly a plus when you consider the saying “the bigger they are, the harder they fall.”
An effective security management plan starts with the right organizational culture and it fails spectacularly without one. However, building an effective security culture that reaches all four corners of a large and diverse organization is a massive challenge. From experience, I have concluded that one size simply does not fit all.
I often labor the point about security being a journey, and never a destination. However, in order to take everybody on the journey, it has to personally resonate in a way that compels people to want to be on it. Personally resonating with 35,000 people without culture change is insurmountable unless you enforce and edict, which is hardly conducive to winning hearts and minds and will ensure CISOs retain their traditional ‘business blocker’ moniker.
So, what is the solution to building an effective culture in a large organization? You must listen to your business. All of it. Recognize that within a vast organization lie subtle demographic differences. On the railway, an office worker has different needs and wants to a member of our trackside teams of engineers. Once you have agreed your core messages, subtly adapt them to relate to those different groups. By taking this approach we observed notable changes in behaviors; in our last culture assessment we measured improvements right across the board.
What about determining the reality of your security posture? They say the best way to eat an elephant is ‘in small pieces’ and this is critical in a large organization; you simply cannot expect your HQ-based security team to know-all, see-all. They can’t, and they won’t. If security is a collective responsibility, how can the organization play its part if you are ‘invisible’ to them, and they are ‘invisible’ to you?
One solution that works is to extend the traditional security team with a crowdsourced community of interest, advocates or ‘champions’. Equip them with tools, materials and training. Incentivize, engage and empower them; if they feel they are making a difference, they will continue to champion the cause for you.
To conclude, whilst the rationale and outcomes of CISOs are broadly similar in objective, I do believe the depth and complexity of certain aspects of the role differs between large and small organizations. My advice to CISOs in large organizations is this: don’t try and eat the elephant yourself. Instead of a CISO and their team trying to be one set of very long arms, one should instead seek an organizational culture that allows many arms to form one long chain around your business, letting the business own the problem with you, and collectively celebrate the success of managing it together.
This is part of a point-counterpoint debate. The other article can be found here