This edition we caught up with Steve Durbin, Managing Director, Information Security Forum and our front cover focus for the Spring edition. Steve gives us the low down on all things cyber security related, the preventative measures that need to be addressed in order to protect against security risks and what to do, to avoid the risk of cyber crime.
I have been very fortunate through- out my career to have worked with some inspirational leaders and been part of exciting growth opportunities which have developed my career and experience in the UK and around the world. I have managed and grown start-up to £multimillion turnover technology and services enterprises, and been involved with mergers and acquisitions of fastgrowth companies across Europe and the USA. I’ve had the opportunity to advise a number of NASDAQ and NYSE listed global technology companies and have served as an executive on the boards of public companies in the UK and Asia in both the technology consultancy services and software applications development sectors. But I didn’t start out in technology – my degree was in French and I followed that up by studying for my Chartered Institute of Marketing qualifications to enhance my business knowledge.
I have always been attracted to opportunities that allow me to make a difference – so at Gartner I was fortunate to be involved in starting heir marketing consultancy business which I went on to lead from a standing start to over 400 consultants worldwide in five years. I have always been fascinated by travel and other cultures and during my time at Gartner I developed the strategic market entry plans for Asia Pacific, managing existing operations in Japan and Korea and launching new offices in Hong Kong, Singapore and Sydney. I also led some major acquisitions – so I had a pretty varied career during my time there.
At EY I was responsible for marketing the full range of EY products and services across the NEMIA region. I worked with fast growth companies, so I had the chance to work with some truly inspiring entrepreneurs such as Tim Richards at Vue Cinemas, Peter Cullum at Towergate, people who had a vision, a drive and a determination to succeed. One of the key takeaways from my time a
EY was that irrespective of what you do, you need to follow your passion if you are to become truly successful.
Working with growth and transformation focused companies – and with people who challenge you to be the best. The attraction of the Information Security Forum (ISF) originally was to work with another industry leader, the late Howard Schmidt, special adviser for cyberspace security to the Bush administration directly following 9/11. He was a leader in developing the U.S. National Strategy to Secure Cyberspace and later went on to serve in the Obama administration as the White House Cybersecurity Coordinator. Schmidt challenged me to help with the growth of the ISF, by introducing new services to meet the continually evolving needs of our members, some of the world’s leading companies. That opportunity still exists, and it is a challenge I continue to enjoy today.
As the Managing Director of ISF, what is your role and the most important responsibilities for you right now?
I oversee the ongoing development and growth of the ISF worldwide. I also sit on the ISF Board and so have first-hand input into our strat- egy and ways of dealing with the ever- complex business world in which we operate. Legislation and regulation are key changes in our industry – issues such as GDPR and Brexit do not just impact our members, they also impact the ISF and navigating a path through these and other business issues is a key part of my role.
The ISF is also continuing to grow and in our business that means we need to attract and retain people who both enjoy the challenge of working in a fast paced, dynamic industry and are able to hold the attention and respect of our members. For a small company that can be very challenging. What are the most important qualities that you need to work in this position? What do you feel are the biggest challenges that you face being in this position? Every business leader today will tell you that technology has radically changed the way in which we operate.
This presents challenges and I would say that agility, the ability to both anticipate and react to market demands, is one of the key qualities that a leader needs to bring to an organisation. But there are other challenges, particularly related to the cyber security space. We are seeing unprecedented demand for cyber skills and are all fighting to attract and retain skilled people. For the small business that is an even more acute problem – how do you compete with the larger enterprises? So for me it is about creating a differentiated employment proposition based on transparency, trust and mutual respect with everyone that works at the ISF. It is about understanding the career needs of our people and ensuring that we are all able to achieve our goals. Leaders have a direct influence on the personality of a business. Creating a consistent culture which is authentic and energizing in the face of daily challenges is an art; it cannot be achieved through policies and processes, it requires leaders to lead by example, to be consistent in both messaging and behaviour and to create an environment that recognises its shortcomings and is prepared to adapt and change.
I believe that the biggest challenge today for any leader is to create a shared mindset and shared ambition across the enterprise that takes into account the needs of the market, the clients but most importantly the people. It is about clarifying what great looks like and then creating an environment for the team to succeed; for me that is all about allowing people to define, understand and fulfil their passion. What in your tenure do you feel has been the biggest achievement with the ISF so far?
The ISF turns 30 years old this year and we have never been more relevant than we are today. Our membership continues to grow and we continue to provide them with the tools and insights that are required to try and stay ahead in a world of increasing threat and transformation.
ISF is an independent information security body. Could you tell us more about this body and what it does specifi cally? What is its speciality fi eld and what are its objectives as an organisaon? What specific aims do you see as the most important ones for the ISF?
The ISF is primarily concerned with enabling our members to effectively manage and mitigate risks to their data and systems. It’s never been harder or more critical than in today’s hyperconnected world and our approach focuses on providing practical measures for member organisations. Our Standard of Good Practice for Information Security provides a comprehensive best practice blueprint. Our tools include a tangible methodology, industry benchmark and regular surveillance of the threat landscape. And our ongoing research programme which members participate in developing, ensures relevance in a fast-evolving arena. The ISF’s objectives are directly linked to this; going beyond discussion to actions, solutions and supporting our members who understand that information security has passed from being necessary to being essential.
Information Security Forum works with many leading organ-isations that are featured on the Fortune 500 and Forbes 2000 lists. Why do you think companies approach ISF and want to join?
The operating environment for organisations is becoming ever more volatile. Technological step changes are affecting entire business models as 5G, AI, drones, quantum computing and an expanding nexus of IoT devices receive significant investment. Ubiquitous digital interconnectivity and the benefits that brings is also creating an evolved and more complex threat landscape. Organisations must prepare for the arrival of such technologies by understanding how they will be used – those that get it wrong will find themselves compromised, their operations disrupted and reputations damaged. Quantitative risk assessment will increasingly become the norm for organisations seeking to justify security investments in an environment of increased volatility.
Few security departments are in a position to successfully address all the cybersecurity challenges and prioritisation around protecting critical assets – the organisation’s crown jewels – which will be essential. Continuing skills shortages will increase the need for smart targeting of security priorities in line with the business risk appetite and risk profile. So, the market is challenging – members value the depth and full spectrum approach to information security at the ISF.
In addition to tangible information security measures members have access to expert consultancy and they like that we are here to help them with specific projects as well as help them to help themselves through the available tools and research. In a similar vein we take a “bedrock to boardroom” approach so that CISOs are supported in engaging with their whole organisation.
Equally the Board and practitioners can easily gain a thorough understanding of both threats and cybersecurity best practice which underpins long-lasting resilience and growth with minimal risk in the digital era. Our footprint is global which enriches the collective insights we gain from members and feed into our research. Finally, Members value being able to participate in developing leading research and collaborative solution-finding.
The ISF has a strong history of working with its members to spotlight issues such as supply chain vulnerabilities, cloud, developing the security workforce and quantitative risk assessment. In addressing these issues, we help members target and begin to offset current and future stress factors.
In your opinion, what are the main and biggest challenges that ISF faces everyday?
The top concern is technology and society’s overdependence on it. Technology continues to enable innovative digital business models and society has become critically dependent on technology to function. The race to develop the next generation of super-intelligent machines is in full swing and technology will continue to be ever more intertwined with everyday life. This new hyperconnected digital era creates an impression of stability, security and reliability. However, it is an illusion which when coupled with heightened global mistrust and rising geopolitical tensions, will give rise to ever more sophisticated and pervasive cyber threats that are targeted and disruptive. The effect will be that the operating environment for business will continue to become increasingly volatile.
The impact on society will be that technology will intrude into many aspects of personal and working life, creating a digital- centric, always-connected society that raises fundamental questions around social well-being. Add to that the lightning fast evolution of cybercrime – attacks increasing in number and sophistication and the pace at which dependency on technology is outstripping both regulation and cyber defense in most organisations, and you have more than enough challenges for any one organisation to deal with. That is one of the attractions of the ISF – we are a global collaborative community of some of the smartest minds in the security industry.
What are the most exciting projects that you’re working on right now with ISF?
We have a research agenda that is determined in conjunction with our members – so we have just released our annual Threat Horizon report which looks out two years to try to identify upcoming threats. We are building on our cloud research which we started many years ago and we continue to look at developing a board level toolkit that distills the essence of ISF tools. We are revamping our benchmark systems since it has never been a more important time to be able to assess your own security posture within the context of other organisations or standards.
Can you say a few words about the future? What do you think the whole cyber, information security and risk management industry will look like 5, 10 years from now? And the Information Security Forum — what it will look like?
Digital transformation is now top of the challenge list for many businesses and operating in the digital world is increasingly a matter for effective management of risk. The focus needs to be on how being safe in cyber can drive organisational growth and development – understanding cyber risk and building in appropriate cybersecurity from the start are fundamental to success. This requires businesses to implement means of maintaining situational awareness and cyber resilience, such as increased monitoring and gathering of threat intelligence.
Overall, businesses will need to respond to the challenge that cyber is not an IT or purely technical issue and that operating in the digital world is the new business as usual. The way in which many businesses manage cyber risks will change and this change will need to be owned in, and driven from, the boardroom to ensure engagement and eventual ownership by business leaders of digital. Whilst good cyber- hygiene, IT security and operational risk management will continue to be core to being safe in the digital world, cyber is now a business issue and any mitigation and preparation for the risks of the digital world will fail without the buy-in and ownership of business leaders. The onus will fall on them to identify critical business assets that must be protected and to make protection of the organisation an integral part of their business strategy and implementation plans. Over the coming years a range of damaging threats will materialise.
Vulnerabilities will be shared across interconnected systems heightening the need for strong cyber security, defences and resilience across the extended supply chain; malware attacks will be amplified by superfast networks; critical national infrastructure (CNI), IoT manufacturers, businesses and citizens will all offer ripe targets for a wide range of attackers, from nation states aiming to cripple CNI to hackers spying on private networks.
Ultimately, organisations will become even more digitally dependent, more interconnected, and will experience a more intense battle for data between organisations, criminals and nation states. AI and machine learning will have a key role to play, not in replacing people but in being used as effective tools that can help with the delivery of increasingly sophisticated cybersecurity strategies embedded both in digital transformation plans and daily, enterprise-wide activities. The ISF will continue to be at the forefront of helping organisations to develop and embed strategically aligned cyber resilience to protect their critical assets and data.