In the life of a CISO, there are always things that need to be dealt with quickly – including rolling out the latest technology, embarking on new transformation projects, and even just patching your organisation’s software. One of the things I found I needed to do more of this year was to tell the story of how and why I was going to approach these challenges, to a variety of audiences – not just to the board, executive team and senior managers across the business.
For more than 25 years, Nominet has been the proud custodian of the .uk internet infrastructure, and we are also a public benefit company that uses surplus funds to support projects that promote digital inclusion. As Nominet is at the heart of the UK’s internet, and a regulated organisation, we need to balance fulfilling our obligations to Ofcom as our regulator, the internal security requirements, along with bringing everyone internally and externally – such as our members – along for the ride.
Going through this process, it has struck me that security and IT professionals (and I include myself here) are not always the most effective communicators. We are sometimes too technical – learning the power of communication and explaining the narrative around IT change has been perhaps my biggest lesson from the year.
Instead of just telling it how it is, you need to say why it is. This could be by explaining how the threat landscape has changed, or how upcoming regulations may affect how we operate, for instance. By letting people look behind the curtain, removing the perceived mystique of security and showing them the bigger picture, everyone can better understand the part they play in cyber security. This brings all the different stakeholders on board much more easily.
This brings me to my second lesson. With so many stakeholders when it comes to cyber security, it is a huge learning curve to balance all these competing parties and accept there needs to be some trade-offs to ensure that everybody’s happy most of the time, rather than completely unhappy.
If this year has taught me anything, it’s the power of prioritisation. Don’t try to do everything – it’s impossible. And it’s equally impossible to do everything perfectly – it’s truly the enemy of progression. Do a handful of things well, rather than lots of things averagely.
This feeling of competing priorities isn’t just something that plagues the technical c-suite, but emerging tech talent too. I was lecturing at university the other week and had a student approach me to ask: “How do I make sure that I’m doing the right things when handling security vulnerabilities?”. My advice was to prioritise and go through the list of vulnerabilities to figure out which you absolutely need to deal with, because you can’t do everything at once.
Their response really struck me: “Well, what happens if I’ve done the top 10 on the list, but we get hit by the 11th one, or the 14th one?”
As security professionals, if we can demonstrate the fact that we have helped inform risk-based decisions, then we are handling our workload in the best way possible. We need to prioritise all the competing needs of the business. It is this fear of failure, and the need to be right 100% of the time, that drives security professionals.
However, as we all know, no system is going to be a 100% secure. It’s about giving people the tools to think through the problem rather than coming to the perfect solution and ensuring we have done everything we can do, and that the risk is as low as reasonably possible.
So, as we all (supposedly) begin to wind down towards the end of the year, this was the perfect chance for me to reflect, and look forward to what’s next. My experiences from this year will follow me into the next one. As security folk, let’s make peace with imperfections and look for ways to bring others on the journey with us. What lessons will you be bringing into 2023?