Steve Durbin, MD of Information Security Forum Talks To European Business

EY was that irrespective of what you do, you need to follow your passion if you are to become truly successful.

Working with growth and transformation  focused  companies  –  and  with  people   who challenge you to be the best. The  attraction  of  the  Information   Security  Forum  (ISF)  originally  was   to work with another industry leader,  the  late  Howard  Schmidt,  special   adviser for cyberspace security to the  Bush administration directly following  9/11. He was a leader in developing  the U.S. National Strategy to Secure  Cyberspace  and  later  went  on  to   serve  in  the  Obama  administration   as  the  White  House  Cybersecurity   Coordinator. Schmidt challenged me  to  help  with  the  growth  of  the  ISF,   by introducing new services to meet  the continually evolving needs of our  members, some of the world’s leading  companies.  That  opportunity  still   exists, and it is a challenge I continue  to enjoy today.

As the Managing Director of ISF,  what is your role and the most  important responsibilities for  you right now?

I  oversee  the  ongoing  development   and  growth  of  the  ISF  worldwide.  I   also sit on the ISF Board and so have  first-hand  input  into  our  strat-  egy   and  ways  of  dealing  with  the  ever- complex business world in which we  operate.  Legislation  and  regulation   are  key  changes  in  our  industry  –   issues such as GDPR and Brexit do not  just  impact  our  members,  they  also   impact the ISF and navigating a path  through  these  and  other  business   issues  is  a  key  part  of  my  role.

The   ISF is also continuing to grow and in  our business that means we need to  attract  and  retain  people  who  both   enjoy  the  challenge  of  working  in  a   fast paced, dynamic industry and are  able to hold the attention and respect  of our members. For a small company  that can be very challenging.   What are the most important  qualities that you need to work  in this position? What do you  feel are the biggest challenges  that you face being in this position? Every  business  leader  today  will  tell   you  that  technology  has  radically   changed  the  way  in  which  we   operate.

This presents challenges and  I would say that agility, the ability to  both  anticipate  and  react  to  market   demands,  is  one  of  the  key  qualities  that  a  leader  needs  to  bring  to   an  organisation.  But  there  are  other   challenges, particularly related to the  cyber security space. We are seeing  unprecedented  demand  for  cyber   skills and are all fighting to attract and  retain  skilled  people.  For  the  small   business that is an even more acute  problem – how do you compete with  the  larger  enterprises?  So  for me  it   is  about  creating  a  differentiated   employment  proposition  based  on  transparency, trust and mutual respect  with everyone that works at the ISF.  It  is  about  understanding  the  career   needs  of  our  people  and  ensuring   that  we  are  all  able  to  achieve  our   goals. Leaders have a direct influence  on  the  personality  of  a  business.   Creating  a  consistent  culture  which   is authentic and energizing in the face of daily challenges is an art; it cannot  be  achieved  through  policies  and   processes, it requires leaders to lead  by example, to be consistent in both  messaging and behaviour and to create  an  environment  that  recognises  its   shortcomings  and  is  prepared  to   adapt and change.

I  believe  that  the  biggest  challenge   today  for  any  leader  is  to  create  a   shared mindset and shared ambition  across the enterprise that takes into  account  the  needs  of  the  market,   the clients but most importantly the  people.  It  is  about  clarifying  what   great looks like and then creating an  environment for the team to succeed;  for  me  that  is  all  about  allowing   people  to  define,  understand  and   fulfil their passion.    What in your tenure do you  feel has been the biggest  achievement with the ISF so far?

The  ISF  turns  30  years  old  this   year  and  we  have  never  been  more   relevant  than  we  are  today.  Our   membership continues to grow and  we continue to provide them with the  tools  and  insights  that  are  required   to  try  and  stay  ahead  in  a  world  of   increasing threat and transformation.

 ISF is an independent  information security body. Could  you  tell  us  more  about  this   body  and  what  it  does  specifi cally?  What  is  its  speciality  fi eld  and  what   are its objectives as an organisaon? What specific aims do you see as the  most important ones for the ISF?

The  ISF  is  primarily  concerned  with  enabling our members to effectively  manage  and  mitigate  risks  to  their  data  and  systems.  It’s  never  been   harder  or  more  critical  than  in   today’s  hyperconnected  world  and   our  approach  focuses  on  providing   practical  measures  for  member   organisations. Our Standard of Good  Practice  for  Information  Security   provides  a  comprehensive  best   practice blueprint. Our tools include  a  tangible  methodology,  industry   benchmark  and  regular  surveillance   of  the  threat  landscape.  And  our ongoing research programme which members  participate  in  developing,   ensures  relevance  in  a  fast-evolving   arena.  The  ISF’s  objectives  are   directly  linked  to  this;  going  beyond   discussion  to  actions,  solutions   and  supporting  our  members  who   understand that information security  has  passed  from  being  necessary  to   being essential.

The  operating  environment  for   organisations  is  becoming  ever  more   volatile.  Technological  step  changes   are  affecting  entire  business  models   as 5G, AI, drones, quantum computing  and  an  expanding  nexus  of  IoT   devices receive significant investment.  Ubiquitous digital interconnectivity and  the benefits that brings is also creating  an  evolved  and  more  complex  threat   landscape. Organisations must prepare  for  the  arrival  of  such  technologies   by  understanding  how  they  will   be  used  –  those  that  get  it  wrong   will  find  themselves  compromised,   their  operations  disrupted  and   reputations damaged. Quantitative risk  assessment  will  increasingly  become   the  norm  for  organisations  seeking   to  justify  security  investments  in  an   environment  of  increased  volatility.

 Few  security  departments  are  in  a   position  to  successfully  address  all   the  cybersecurity  challenges  and   prioritisation  around  protecting   critical  assets  –  the  organisation’s   crown jewels – which will be essential.  Continuing skills shortages will increase  the need for smart targeting of security  priorities  in  line  with  the  business   risk  appetite  and  risk  profile.  So,  the   market is challenging – members value  the depth and full spectrum approach  to  information  security  at  the  ISF.

 In  addition  to  tangible  information   security  measures  members  have   access to expert consultancy and they  like  that  we  are  here  to  help  them   with  specific  projects  as  well  as  help   them  to  help  themselves  through   the  available  tools  and  research.  In   a  similar  vein  we  take  a  “bedrock  to   boardroom”  approach  so  that  CISOs   are  supported  in  engaging  with  their   whole organisation.

Equally the Board  and  practitioners  can  easily  gain  a   thorough  understanding  of  both   threats and cybersecurity best practice  which underpins long-lasting resilience  and  growth  with  minimal  risk  in  the   digital  era.  Our  footprint  is  global   which enriches the collective insights  we gain from members and feed into  our  research.  Finally,  Members  value   being able to participate in developing  leading  research  and  collaborative   solution-finding.

The ISF has a strong  history of working with its members to  spotlight  issues  such  as  supply  chain vulnerabilities,  cloud,  developing  the   security  workforce  and  quantitative   risk  assessment.  In  addressing  these   issues,  we  help  members  target  and  begin  to  offset  current  and  future   stress factors.

The  top  concern  is  technology  and   society’s  overdependence  on  it.   Technology  continues  to  enable   innovative  digital  business  models   and  society  has  become  critically   dependent  on  technology  to   function.  The  race  to  develop  the   next  generation  of  super-intelligent   machines  is  in  full  swing  and   technology  will  continue  to  be  ever   more intertwined with everyday life.  This new hyperconnected digital era  creates  an  impression  of  stability,   security  and  reliability.  However,  it   is  an  illusion  which  when  coupled   with  heightened  global  mistrust  and   rising  geopolitical  tensions,  will  give   rise  to  ever  more  sophisticated  and   pervasive  cyber  threats  that  are   targeted  and  disruptive.  The  effect   will be that the operating environment  for business will continue to become  increasingly  volatile.

The  impact  on   society  will  be  that  technology  will   intrude into many aspects of personal  and  working  life,  creating  a  digital- centric,  always-connected  society   that  raises  fundamental  questions   around  social  well-being.  Add  to   that  the  lightning  fast  evolution   of  cybercrime  –  attacks  increasing   in  number  and  sophistication  and   the  pace  at  which  dependency  on   technology  is  outstripping  both   regulation and cyber defense in most  organisations,  and  you  have  more   than  enough  challenges  for  any  one   organisation to deal with. That is one  of the attractions of the ISF – we are  a  global  collaborative  community  of   some  of  the  smartest  minds  in  the   security industry.

We  have  a  research  agenda  that  is   determined  in  conjunction  with  our   members – so we have just released  our  annual  Threat  Horizon  report   which  looks  out  two  years  to  try  to   identify  upcoming  threats.  We  are   building on our cloud research which  we  started  many  years  ago  and  we   continue  to  look  at  developing  a   board  level  toolkit  that  distills  the   essence of ISF tools. We are revamping  our  benchmark  systems  since  it   has  never  been  a  more  important   time  to  be  able  to  assess  your  own   security  posture  within  the  context   of other organisations or standards.

Can you say a few words about  the future? What do you think  the whole cyber, information  security and risk management  industry will look like 5, 10 years  from now? And the Information  Security Forum — what it will  look like?

Digital  transformation  is  now  top  of   the  challenge  list  for  many  businesses   and  operating  in  the  digital  world   is increasingly  a  matter  for  effective  management of risk. The focus needs to  be on how being safe in cyber can drive  organisational growth and development  – understanding cyber risk and building  in  appropriate  cybersecurity  from  the   start  are  fundamental  to  success.  This   requires  businesses  to  implement   means  of  maintaining  situational   awareness  and  cyber  resilience,  such   as increased monitoring and gathering  of  threat  intelligence.

Overall,   businesses  will  need  to  respond  to   the  challenge  that  cyber  is  not  an   IT  or  purely  technical  issue  and  that   operating  in  the  digital  world  is  the   new  business  as  usual.  The  way  in   which many businesses manage cyber  risks will change and this change will  need to be owned in, and driven from,  the boardroom to ensure engagement  and  eventual  ownership  by  business   leaders of digital. Whilst good cyber- hygiene,  IT  security  and  operational   risk  management  will  continue  to   be  core  to  being  safe  in  the  digital   world,  cyber  is  now  a  business  issue   and  any  mitigation  and  preparation   for  the  risks  of  the  digital  world  will   fail without the buy-in and ownership  of business leaders. The onus will fall  on  them  to  identify  critical  business   assets that must be protected and to  make protection of the organisation an  integral part of their business strategy  and implementation plans. Over  the  coming  years  a  range  of   damaging  threats  will  materialise.

Vulnerabilities  will  be  shared   across  interconnected  systems   heightening the need for strong cyber  security,  defences  and  resilience   across  the  extended  supply  chain;   malware  attacks  will  be  amplified   by  superfast  networks;  critical   national  infrastructure  (CNI),  IoT   manufacturers,  businesses  and   citizens will all offer ripe targets for a  wide  range  of  attackers,  from  nation  states aiming to cripple CNI to hackers  spying on private networks.

Ultimately, organisations will become  even more digitally dependent, more  interconnected, and will experience a  more intense battle for data between  organisations,  criminals  and  nation   states.  AI  and  machine  learning   will  have  a  key  role  to  play,  not  in   replacing people but in being used as  effective tools that can help with the  delivery of increasingly sophisticated  cybersecurity  strategies  embedded   both  in  digital  transformation  plans   and daily, enterprise-wide activities. The  ISF  will  continue  to  be  at  the   forefront  of  helping  organisations   to  develop  and  embed  strategically aligned cyber resilience to protect their critical assets and data.