A winter SASIG hosted by audit firm PwC looked at how to engage the C-Suite on security awareness. Entitled “Security – why should anyone listen to us?” presentations, panel discussions and simulations prompted the sharing of concerns from the coal-face of putting security awareness at front of mind with business’ ultimate decision-makers.
Opening the seminar, Rena Lalgie, Deputy Director, Information Economy for the Department for Business Innovation and Skills (BIS), set out her department’s stall which follows from Lib Dem BIS minister Vince Cable’s declaration in September that “Cyber security threats pose a real and significant risk to UK business … By properly protecting themselves against attacks companies are protecting their bottom line. Ensuring this happens should be the responsibility of any chief executive or chair as part of an approach to good corporate governance.” She emphasised the need for government and private enterprise to collaborate to create a security aware environment.
A theme emerged over the day that the most effective method of engaging with CEOs was to ensure they could grasp the price of security failure. “It’s key to present the case not as ‘how much will this cost?’ but ‘what is the loss to our organisation if we don’t do this?'” So said Paul Swarbrick, CISO and Head of Cyber Security at National Air Traffic Services (NATS).
And “Whilst it is important to highlight the impact of lack of security investment, it is equally important to position security as an enabler to business growth and prosperity,” said Gill Williams of PwC.
Jonathan Shawcross , Director, Group Security and Fraud for Lloyds Banking Group, underlined the need to use language that presented the case for security awareness in a direct and unambiguous manner: “It’s our job to interpret messages that can be understood by corporates, leave the tech-speak behind.”
As Jitender Arora, Senior Programme Manager, Security and Risk, GE Capital EMEA put it: ” There are so many demands on a CEO’s time, so many things they need to be thinking of – they aren’t clueless when it comes to the need for security, but it’s vital we present it in a way they can understand quickly. We need to come from a different mindset than from IT and Security- as that doesn’t give them what they need to hear.”
Gill Williams of PwC wrapped up the session: “It is vital to get the awareness of security up to the same level of consciousness as safety, health and environment with constant reinforcement and focus.”
The next SASIG is scheduled for April 25, 2013, hosted by BT in London.
About SASIG
Established in 2004 by Martin Smith MBE BSc FSyI, The Security Awareness Special Interest Group (SASIG) is a subscription free quarterly networking forum organised by The Security Company (International) Limited as a no-cost exercise. Membership is drawn from CSOs, CISOs and staff with responsibility for security awareness. SASIG has a members’ website at www.thesasig.com.
