EXPERT OPINION constraints . Resources here encompass more than just physical assets , they extend to the ability to analyse vast amounts of data . In the field of cybersecurity , we receive an immense volume of data , often in the billions of data points every week . Effectively analysing this data and making informed decisions to mitigate risks is a complex task . It ’ s important to note that addressing this resource challenge goes beyond merely allocating physical assets because competing with machines and their data capabilities is increasingly difficult .
To overcome resource limitations , it ’ s crucial to ensure that data tells a meaningful story . This means not only analysing the data but also using it to convey different narratives to various audiences within an organisation . Whether it ’ s the risk department , finance , executives , Human Resources or others , understanding the key data points and how they can be used to project different scenarios is of paramount importance in addressing resource inequality effectively .
When confronted with resource shortages that might impact security operations , what strategies do you believe are most successful in managing and resolving these issues ?
Privatisation has suddenly become the foremost consideration encompassing more than just IT assets . We ’ re not just referring to servers or virtual machines , this pertains to the full spectrum spanning public and private clouds as well as individual laptops and mobile devices . It is important to understand that not all assets are created equal . So , when prioritising , you must assess what is significant and where your data resides – is it predominantly in the cloud , on-premises or on users ’ devices ? Without a comprehensive understanding of the data ’ s footprint and exposure , devising an effective strategy is unattainable . Resources must be allocated to address what matters but you must understand your exposure before formulating a strategy .
From your perspective , why is fostering teamwork within an IT department crucial for achieving overarching security objectives ?
In the past , IT risk has often been perceived exclusively as an IT concern . If you use Salesforce for example , you have a server running a fine-tuned system , but we assume that if you ’ re the Chief Technology Officer ( CTO ) of the company , you bear the responsibility for this risk . This is a dangerous presumption . It implies that the owner of IT assets is the same as the owner of IT risks .
When we delve into the fundamentals , the risk owners should not necessarily be in IT . If Salesforce is hosted in the cloud , the responsibility for its appropriate risk management does not fall on IT alone but on those who wield it to drive customer engagement and fulfil commercial objectives . In essence , the primary owners of IT risk are usually found within the commercial leadership team . They are the ones who extensively employ the system to facilitate customer interactions and execute commercial duties .
The pivot is to stop thinking that IT risk exclusively belongs to the IT domain . When I assumed the role of CISO , we initiated an enterprise risk management plan to correctly identify the rightful owners of various risks , be it in HR , finance or the commercial team . Consequently , this approach has facilitated more meaningful conversation when we talk about IT risk .
As organisations increasingly realise the significance of a robust defence strategy and allocate resources to safeguard their digital assets , how would you suggest initiating a wellrounded investment plan ?
It is vital to understand your risk profile before you formulate a strategy . Even if the cybersecurity program is new or has previously existed , a rigorous approach is needed . This can include a risk assessment which many cyberrisk professionals use as a starting point . I would encourage a data-centric conversation that revolves around protecting your most creative assets such as customer or employee data that flows through your organisation .
The first step is having a complete understanding of the digital assets you are protecting and performing gap analysis . For example , in the past , cyber teams would buy products and have a plan to implement them within a specific timeframe and budget . The questions those IT teams should be asking are : are those the right products and what problems are these products solving ? The value of independent thinking is critical . You should evaluate if the product is the right fit for the organisation by assessing exposures and planning .
The second part is acting on the plan of action and being patient . You need to consciously produce a return on investment back to your business owners . This is an area I have been working on with our board over the last four years . A diligent process is required here with trends being analysed every quarter which can shield investments . These reports reveal gaps and how that enables businesses to do more and reduce the security risks . Having this cost analysis data which goes beyond the cyber data increases the odds of success .
In the realm of assisting governments , boards and organisations , how does Diligent help in tackling prevalent IT challenges ? Can you outline the range of solutions you provide to your clients ?
Our unique competitive advantage is getting the data to the right eyeballs . It is important to explore different types of data . Regarding machine data , this is operational and needs to be analysed , presented and reviewed by the risk owners . However , at the board level , this data may be too nuanced giving unnecessary details . Most of
50 www . intelligentciso . com