Interview with Martin Allen, COO of Cynode

Intervju med Hugo Hedén, Senior Cyber associate, Cynode

Q1Martin, you have extensive experience working with large and medium-sized enterprises, helping them build cyber security capabilities and reduce their risk. It seems that in recent years, enterprises have been under significant pressure as the threat landscape becomes more dangerous and regulatory schemes such as GDPR and NIS2 have become tighter. Can you share your perspective on how the lives of security teams have changed, both in general and in relation to the changes brought about by the pandemic?

Martin Allen: I think there’s been a significant level of change since the pandemic in terms of management awareness of cyber security and I think the important thing these days is that cyber security is starting to become an item on the boards’ agenda so that in each meeting, boards discuss cyber security, and to me, that is important. What we also observe is that management are very focused on internal risk, and not external risk. So, there is still work to be done by the security professionals to help educate management to ensure that they understand external risks, for instance, malware and DDoS attacks.

I see two areas where changes have been made since the pandemic. The first area is the evolving threat landscape, that’s constantly expanding and ransomware is still one of the critical issues in this area and it’s certainly a big threat to medium and large-scale organizations. Organisations should empower their security teams to develop procedures and processes to guard against that. The next area that needs management attention and the security teams’ attention is supply chain risk. Management are aware of the risk, but they need to change the very informal paper-based approach they’re using. I see this as an area where many of the risks and threats come from and have been introduced by suppliers accidentally. Accidental or not, supply chain risk is real, and the security team needs to focus on it and make sure that management are taking action.

The second area where I see growth is in the tightening of regulations and greater enforcement. There are a number of pieces of legislation are being put forward by the EU, including NIS2 and the DORA legislation, which is particularly focused on the financial services sector. Both of those pieces of legislation not only lay down criteria, but they’re making enforcement much more strict as well. So I think these are big focus areas that security teams need to be involved with and ensure the organizations are compliant with.

Q2Engagement of the executive team with cyber security efforts is one of the most critical factors in achieving robust cyber security capabilities. In fact, it may be the most important factor. Therefore, a well-working relationship between the Chief Information Security Officers (CISOs) and the Chief Executive Officers (CEOs) is crucial. What are your thoughts on this angle?

Martin Allen: I believe that the CISOs relationship with senior management level is essential to ensure that the security team has the right level of sponsorship. Both in terms of financial, but also in terms of sponsorship on projects to raise their priority through the business. So I think it’s important to enable that management and the CISO to work with each other so the management team understands the current and evolving cyber threats. That could be through awareness through the CISOs or through a third party providing information on current market trends. Either way, it’s important that the CISO works with the management team. In relation to this, I think recruitment of the right resources, especially within the security team, is very important. Resources that can both talk to the business and the senior management at the right level.

I also think the relationship between the CISO and the management team is changing over time. The management team are now starting to be much more intelligent in the questions they are asking and much more demanding. Some organizations already asking for KPIs (key performance indicators). KPIs for the security teams are used in regular meetings and discussions, which are then may be brought to board meetings every month. This level of involvement would help the security team make effective enhancements.

It’s also very important that the CISOs really understand the pressure that the business is under and make sure that they are not spending more than they need to spend. Conversely, without the support of Chief Information Security Officers (CISOs), organizations could easily overspend and lose money, especially in the current climate.

Finally, it is really important that CISOs and executive teams work together, establishing easy and effective communication channels. The absence of that close working relationship puts security teams in a difficult position.

Q3Another related topic is the process of setting cyber security budgets. This topic is now more complicated than ever, as available commercial and technical options – such as using cloud platforms, managed services, outsourcing, and building hybrid networks – have significantly increased. What tips can you share with security professionals and executive teams to help them build the right foundations for having the right cyber security budgets for their unique business requirements?

Martin Allen: This is one of the areas that many organizations both large and small are struggling with in Sweden and it’s partly a result of the current financial climate where organizations are trying to reduce costs across the business and cyber security is one of those areas that requires greater investment on a year-by-year basis. The risks are greatly increasing as the threat landscape expands and the dangers to the organizations increase, and it’s too late to spend once you’ve been attacked. Organizations need to put in place preventative measures prior to being attacked.

So, spend is really a difficult question for many organizations and one of the things we found from our experience is that not all the related stakeholders in an organisation are always made aware of ongoing projects. We have found many cases where security implementations have been duplicated. In these cases, both the IT department and the security team have implemented the same security measure using the same tool. Organizations should examine the tools they are using and verify that there is no duplication across the business.

One challenge for many organizations is headcount. Highly skilled security professionals are in great demand, which means that the cost of hiring security staff may be higher than that of other staff. Addressing this issue requires support from management. Organizations must recruit skilled professionals and understand why they need to do so.

Another challenge is ensuring that organizations receive the expected benefits for the money they spend. This ultimately comes down to KPI discussion. It’s important to have a measure of how well you’re performing against expected benefits. For example, you may have a piece of software that highlights incidents or issues on your network. However, if you do not take any action against the incidents, this is of little value, and therefore the costs are not justified. So, it is important that you are getting the most out of the benefits from any of the spending, and you can clearly demonstrate that benefit.

The final point I want to make is on the budget side. I think it’s very important that senior management advise or clearly sets out what their risk appetite is. What they are prepared to accept and what they are not prepared to accept. This makes things clear because that can determine the spend on the business. So, I think it’s very important that the risk appetite is considered and that management make clear to the security teams what their risk appetite is.

Q4According to Gartner’s predictions for 2023, ”By 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents.” Additionally, various sources indicate that there is currently a global shortage of around 3.5 million security professionals.

Can you provide your insights on how institutions, both globally and specifically in Sweden, can address the challenge of finding and recruiting security professionals with the right skillset?

Martin Allen: This question is very important to me, and it is a challenge that everyone in Sweden, the Nordics, and globally faces. The real problem is the absence of skilled resources in the marketplace. If you look around, both locally and globally, there are huge numbers of shortages that are defined and pressing forward.

The real challenge is finding people with the right skills and experience and to be honest, those people don’t exist in the Swedish marketplace at the moment, and more and more organisations, as they become more mature and understand their security issues, are trying to hire CISOs. But, they are simply not in the marketplace, and the real danger to me is that they hire people who haven’t got the full skill set and who aren’t really CISOs. Organisations hire people who are too early in their careers. But they are hired because there are no other options, and filling vacancies with substandard employees without the adequate knowledge to do the job really concerns me

This problem is practically addressed in two ways. The larger organizations are recruiting junior resources who can be trained to become really good CISOs. I think that’s a very intelligent approach because it allows you to teach those people internally. It also gives you strength going forward and addresses the challenge in an imaginative way.

The only other possible solution is we should engage CISOs, maybe with CISO as a service. This helps organizations acquire skills quickly and help bring the appropriate staff with the appropriate skills on board. Recruitment is not going to be an easy fix. It’s a problem that all organisations are facing across the globe, and there’s no easy short-term fix for it.

Martin Allen is a senior consultant and COO at Cynode, with many years of experience in the cyber security space. He has worked in both the UK and Sweden, advising boards and senior management on how to understand and guard against cyber threats. Martin has also worked closely with CISOs and internal audit departments to identify the appropriate cyber controls needed to ensure that resources are applied most effectively for cyber defense, thereby enabling organizations to meet their strategic objectives. He has a proven track record of working with the NIST framework.

About Cynode

Cynode is a Cyber Security initiative launched in September 2022 by Nordic LEVEL Group to further strengthen its advisory services offering and meet the strong demand from the Group’s customers. The initiative is positioned as the preferred Cyber Security partner for Nordic SMBs and Enterprises. The business focuses on minimizing organizations’ exposure to cyber threats and strengthening their Cyber Security posture with Advisory Assurance services.

 

Cynode Press contacts:

Martin Allen

COO, Cynode

T: +46 (0)72 584 93 80

E: martin.allen@cynode.com

_____

Sebastian Rosendahl

CEO, Cynode

T: +46 (0)70 968 54 03

E: sebastian.rosendahl@cynode.com

Get in touch







    Please calculate: