by Steve Gibson, view his mentor profile here!
Today, addressing information and cyber security in business can no longer be dealt with effectively by black box solutions, as provided by internal or external IT services, but needs to be tackled companywide. The rise of the hacking community, terrorists and nation states are making front page headlines every day and there is no sign that they will be going away anytime soon.
My goal is therefore twofold;
- Firstly, to help managers and business leaders to identify the threats that can affect their businesses so that they can develop coherent strategies to address them.
- Secondly, to help the existing talent pool upskill so that they support the growing needs of all industries in the face of increasing Information and Cyber Security threats.
The world of Information and Cyber Security has been cloaked in smoke and mirrors for many years. This is partly due to a widely-held perception that it belongs to the scary realm of computers and technology, although this is mainly due to the lack of education and awareness of business owners and technical professionals in many industries throughout the world.
In the early days of technology this wasn’t too much of an issue. Systems were less complex and if a problem arose then it would be passed to the ‘Geeks in IT’ and the problem would go away (or so you were led to believe).
This is no longer the case. Organisations must clearly think through and understand their risk appetite and be sure of the assumptions upon which the acceptance of risk is based. Strategic, tactical and operational policies need to be defined and clearly communicated along with appropriate processes, standards and guidelines that both support those policies and integrate seamlessly with all business functions.
Business leaders are just now realising that they must either invest in major upskilling initiatives or recruit new talent to meet these challenges. However, the talent pool is severely lacking in the specialized skills required and the level of quality training in this field is sparse.
How I got started
My career started over 25 years ago running operations, managing teams and introducing processes and procedures to improve output and efficiency. I went through the TPM, TQM and Lean management phases and then, after earning an MSc in Manufacturing Management, climbed the corporate ladder until I became the Managing Director of a multi-site, multi-million pound organization based in the UK.
At that time (during the mid-90’s) I was working in Direct Marketing and technology was just starting to impact that industry in a big way. Large volume Data Processing, Data Communication and Data Storage were still in their infancy, but the speed of computing technology development would soon lead to concerns around how this information could be securely protected.
Following a takeover of this last business, I became a Management Consultant, still working within the Direct Marketing industry but with more focus on IT, Software Development and Data Management.
During the early 2000’s I began working specifically in IT, and in 2013 decided to improve my skills as a mentor and coach by training as an NLP Practitioner, Personal Performance Coach, Small Business and Corporate Coach.
The value in these forms of intervention is that I now work with my clients to establish goals and actions that are perfectly aligned with what they want to achieve and how they want to achieve it.
As part of my consultancy work in IT, I became a Lead Auditor for the ISO27001 Information Security Management Standard. I continue to provide audit services to a UKAS Accredited Certification Body where I audit businesses who need to prove their eligibility to be ISO27001 certified.
I regularly use the ISO27001 framework to develop and implement ISO27001 Information Security Management Systems (ISMS) within organisations.
I also trained as a Cyber Essentials Practitioner, implementing Cyber Security controls that meet the requirements of the UK Government’s Cyber Essentials program. More recently I studied and became a Certified Information Security Systems Profession (CISSP) which is an internationally recognized qualification in my field.
I am now offering ‘virtual Chief Information Security Officer (CISO)’ services to organizational boards who recognize the need to integrate information and cyber security into their strategy but have no one at that level who understands how to do it.
My experience having a mentor
While training as a coach, I spent a year working with my own coach and mentor.
After initial skepticism as to what the real benefits would be, I can honestly say that I found tremendous value in having a skilled coach challenge my thinking as it lead to fresh insights and opened up new options that I would otherwise have not considered.
My coach worked with me to clarify my goals, identify new options and establish actions in a way that meant I was totally aligned with what needed to be done and it helped me progress in my career far quicker than I could have hoped for without this support.
Consider, the traditional consultancy approach:
- Interpret the information provided by the client
- Compare the information to previous experience and best practice of the consultant
- Propose a course of action that, to the consultant, appears to address the issue raised by the information provided
This approach works well where the consultant has sufficient experience to understand the exact same issues facing the client and where the client has sufficient alignment with the consultant to listen to what they say and to carry out the proposed actions. Many consultant proposals sit unused in a top draw or filing cabinet never to see the light of day.
Many times you will find that the lack of involvement of the client in establishing the options and actions, will lead to failure due to the lack of alignment to the solution.
The application of coaching techniques helps the client identify resources that they have available to them so that they can establish their own options and action plans. This vastly increases the success rate of the action plans as the client alignment to the solution is far greater.
A ‘pure’ coaching approach delivers the best results when helping individuals in areas like relationships, career choices and confidence (Performance/Life Coaching), but can take some time and soul searching to achieve these results.
In business you cannot afford to spend time soul searching, you need to act quickly and need someone that you trust to help you find answers beyond your experience. Sometimes you need to just bounce ideas off someone and sometimes you just need some support to get you through a difficult time.
This is where a mentor comes in.
A mentor is a client’s trusted advisor and support mechanism. They guide the mentee based on real learning experiences that are not necessarily found in text books, they act as a sounding board and provide advice on courses of action that are likely to have the greatest degree of success. This approach allows a client to approach situations with proven methodologies and enables them to successfully deal with urgent problems quickly and confidently.
The skill of a great Mentor is to know when to tell (Consult), when to advise (Mentor) and when to ask challenging questions (Coach).
My area of focus in cyber security
My primary focus is on helping managers and business owners understand and address the risk that their organisations face around information and cyber security.
I work with leaders to help them integrate information and cyber security into their business strategy and develop strategic plans to deliver their objectives.
I work with senior and middle managers to help them manage the introduction of information and cyber security controls into their operations and work with them to manage the inevitable changes that will need to occur all around them for these controls to be effective. Obtaining buy in from managers above you and across from you is crucial to penetrating all areas of the business.
Many people are still under the illusion that this is an area that belongs to the IT domain, which couldn’t be further from the truth, some are simply unaware of the implications and other understand the threats and implication but do not believe that it will ever happen to them.
A big area that I help my clients focus on is expanding their thinking about what information and cyber security constitutes and where the threats lie. A significant amount of the risk revolves around people and as such impacts on every area of an organisation.
My strengths as a mentor
- I am skilled in interpersonal communication and build rapport quickly
- I quickly relate to my clients, enabling me to work very closely with them to establish suitable options and create realistic action plans to achieve their goals.
- I have a high degree of competence in my specialized field and understand how to apply it to organisations of all types.
- I enjoy what I do, especially helping people and businesses succeed
My ideal mentee
- They are a manager or a business owner who wants to understand and address the risk that their organisations face around information and cyber security, or they are someone wanting to build a career in cyber security.
- They are open minded and are prepared to be challenge.
- They have the time (or can make the time) to put their action plans into place.
- They are prepared to work as hard as I am to succeed in their businesses.
The most useful advice or wisdom I would pass on to someone starting out in my field:
- Don’t let the detail, complexity and fear of IT detract from the bigger Information and Cyber Security Picture. It isn’t just about pressing keys on a keyboard and configuring firewalls, routers and servers.
Yes, the technology matters, but managing technology is more about understanding what it does and why, rather than how. For instance, knowing that a server can be configured to enforce the use of complex passwords is more important than knowing how to configure the server – leave that to the techs.
- Information Security is all about confidentiality, you need to consider the Availability and Integrity of Information.
If you can’t get to the information you need (availability) it’s useless.
If it’s corrupted or inappropriately changed (Integrity) then it’s also useless.
You need to protect the Confidentiality, Integrity and Availability (The CIA Triad) of information.
- Concentrate on developing a holistic approach to protecting organisations, in addition to IT you should also consider:
- Physical security
- Social engineering threats
- Staff awareness and training
- Developing security cultures
- The secure use of equipment
- Identification of information assets (including hard copy documentation)
- Classification systems and methods of access control
- What will you do when a breach occurs (Business Continuity Planning)
This list is not exhaustive but it demonstrates the things that Managers must consider as part of an integrated information and cyber security system.
Find out how Steve can help you by visiting his mentor profile.
Also check out our interview with Steve on our Podcast!