Q3 2018

Cyber security consulting is not about telling clients they are wrong

By Dr John McCarthy.

Cyber security has been around for a while now however its actual meaning for the most part remains unclear. In fact, a taxonomy of cyber security would be very useful as terms and ideas are often bandied about without clear definition. One thing that does seem clear is the perception that if you offer cyber security consultancy, you will be finding fault and telling people they are wrong. In fact, nothing could be further from the truth.

When I have been engaged in cyber security consulting projects I have dealt with highly skilled and talented professionals. Cyber consultancy often begins in the IT department and there are a range of technical tests that need to be undertaken. These tests are not new and they pose no threat. IT Managers have been testing their systems for years and penetration testing is a well-established part of the IT security landscape. The results of the tests are acted upon without any criticism of the IT department. My experience is that most IT managers embrace cyber security but feel frustrated as they know it is not simply an IT problem.

On the other hand, mainstream business managers think cyber security is an IT problem and the IT department will take care of it. So, they ask after all the technical tests are complete and the reports are presented, ‘why is cyber security still an unsolved problem’?

So, who is to blame? Who is at fault? Everyone appears to be doing the best they can, and cyber security issues still hang around. This is when everyone can get a little worried. IT have done their job and the management think they have done all they should. We need to look at other areas of an organisation to tackle the problem. There is a rising awareness that cyber is not just about IT but includes SCADA systems, however the means of tackling and managing these together is still in its infancy. Yes, there are standards and polices for SCADA but the integration of SCADA, IT and organisational responsibilities at board level is not present in most companies.

Deploying effective cyber security is an organisational issue. It’s not about telling people they are wrong, but about getting the right people in the room together at the same time. Ideally in the room should be HR for policies and procedures, IT and building control for technology and management for unique and standard business practices. By doing this we have a handle on people, processes and technology and the right people in the room to deploy effective cyber security, without telling people they are wrong. In fact, it is only these people who can solve the cyber security problem in their organisation because they understand it better than anyone else.