An interview with Steve Durbin, Chief Executive of the Information Security Forum (ISF)
In response to evolving cyber threats, the Information Security Forum (ISF) offers award-winning consultancy services, training, certifications, and professional support activities. Under the leadership of Chief Executive, Steve Durbin, ISF ensures that all member organisations have access to the right tools to detect, respond, and resolve ongoing and emerging threats.
Durbin has years of expertise in corporate strategy, information technology, and cybersecurity, combined with a keen focus on the emerging threat landscape. The European caught up with him to understand more about implementing an effective cyber strategy.
Do you believe that organisations are more aware of the value of a good cybersecurity strategy? Has awareness increased?
Steve Durbin: Yes, indeed. Over the past few years, there has been a noticeable increase in awareness regarding the importance of robust cybersecurity strategies within organisations. This heightened awareness can be attributed, in part, to the global shift towards remote work catalysed by events such as the covid pandemic. The sudden transition to remote work underscored the critical need for implementing comprehensive security processes and controls to safeguard sensitive data. This awareness extends not only to large enterprises but also to mid-sized and smaller businesses. However, while awareness has grown, there remains a challenge in effectively demonstrating the tangible value of cybersecurity investments to business leaders.
From the perspective of ISF, what is a good cyber strategy, and what should it look like in practice?
SD: A strong cyber strategy is one that seamlessly aligns with the overarching business strategy of an organisation. It entails integrating cybersecurity measures into daily operations to enhance revenue generation, shareholder value, employee and customer satisfaction, and overall organisational objectives. Moreover, an effective cyber strategy should be quantifiable, with clear metrics that demonstrate its contribution to achieving corporate goals. It requires active engagement and buy-in from all levels of the organisation, ensuring that every individual understands their role in implementing and upholding security measures. While some organisations have made significant strides in aligning cybersecurity with business strategy, others are still on the journey towards achieving this alignment.
It used to be the assumption that it should be left in the hands of the technology people. Who should be responsible for implementing a cyber strategy, and should the strategy be all-encompassing?
SD: Responsibility for driving cybersecurity strategy and culture should not rest solely on the shoulders of technical personnel. Instead, it is a collective responsibility that extends to every individual within an organisation, as we all interact with technology in some capacity. However, setting the direction and tone for cybersecurity initiatives falls primarily on the shoulders of executive leadership, including the CEO and the board of directors. They must champion a culture of cybersecurity awareness and provide the necessary resources for its implementation. This inclusive approach fosters unity across departments and underscores the critical role cybersecurity plays in achieving organisational objectives.
Are you also concerned that perhaps in some instances there is a misalignment between cybersecurity priorities and business outcomes?
SD: Yes, it remains a significant concern. This often stems from a lack of initial alignment between security initiatives and overarching business strategies. To address this issue, organisations must prioritise involving cybersecurity professionals from the inception of any project to ensure alignment with business objectives. Moreover, effective communication is essential in bridging the gap between technical security language and the language understood by business leaders. By fostering a common understanding of cybersecurity’s impact on business outcomes, organisations can mitigate misalignment and enhance overall effectiveness.
How do you think leaders can ensure everybody buys into the importance of that security concept, and they feel emotionally invested so that protecting a business is a genuine collective effort?
SD: Creating a culture of cybersecurity requires making it personal for every individual within the organisation. This involves providing real-time feedback and personalised training to enhance awareness and accountability. Cybersecurity simulations and exercises should be tailored to each employee’s role, emphasising their critical role in safeguarding organisational assets. Additionally, leaders must align security concepts with individuals’ personal values and responsibilities, ensuring that everyone understands the broader implications of their actions. By fostering emotional investment and personal relevance, organisations can cultivate a genuine collective effort towards protecting the business.
From your perspective as a security expert, how often do you think cybersecurity strategies should be tested given that the threat numbers are constantly evolving?
SD: Given the dynamic nature of cybersecurity threats, regular testing of cybersecurity strategies is imperative. Key components such as policy reviews, defence testing, and cybersecurity simulation exercises should be conducted at least annually to ensure their effectiveness. Moreover, organisations should engage third-party experts to perform comprehensive assessments and provide insights into evolving threats. By proactively testing and refining cybersecurity measures, organisations can enhance their resilience and readiness to mitigate emerging threats.
How much does it cost to not just implement a good strategy, but to maintain it also?
SD: It varies depending on the organisation’s size, industry, and risk profile. Rather than adhering to predetermined percentages of technology spending, organisations should prioritise protecting their critical assets based on their unique risk landscape. This entails identifying and safeguarding essential assets to ensure business continuity and minimise potential losses. While cybersecurity investments are essential, they must align with the organisation’s overall strategic objectives to maximise their value and effectiveness.
Given the increasing regulatory landscape, how can businesses keep up with regulation and the pressures to update their security, especially if they’re operating across multiple geographies?
SD: Staying abreast of evolving regulations and compliance requirements is essential for organisations operating across multiple geographies. This entails actively monitoring regulatory developments and collaborating with legal and compliance experts to ensure adherence to relevant standards. Moreover, organisations should leverage industry associations and forums to stay informed about emerging regulatory trends and best practices. By adopting a proactive approach to regulatory compliance, organisations can mitigate risks and maintain their reputation in an increasingly complex regulatory landscape.
Would you say that investors are probably more receptive to those companies which do have credible cybersecurity strategies, that they feel more comfortable throwing in their money if there is evidence that these businesses are doing all the right things?
SD: While investors are increasingly recognising the importance of cybersecurity, their investment decisions are typically driven by factors such as return on investment and market performance. However, companies with robust cybersecurity strategies may enjoy a competitive advantage by demonstrating their commitment to protecting sensitive data and mitigating risks. While cybersecurity may not be the sole determinant of investment decisions, it can positively influence investor confidence and enhance the overall reputation of the organisation.
Without names, are there any particular companies whose approach to cybersecurity has impressed you? And do you feel that their approach provides a possible template for others to follow?
SD: Organisations in sectors such as financial services and emerging companies have demonstrated commendable approaches to cybersecurity. These organisations prioritise cybersecurity from the top down, integrating it seamlessly into their business strategies and operations. Moreover, they invest in robust security measures and foster a culture of cybersecurity awareness across all levels of the organisation. While every organisation’s cybersecurity needs are unique, these exemplary approaches serve as valuable templates for others to emulate and adapt to their specific contexts.
Looking to the future, what are the key threats that organisations need to be aware of? And has the presence of AI made the security situation more dangerous?
SD: Cybersecurity threats continue to evolve, with traditional threats such as malware, ransomware, and phishing remaining prevalent. However, the emergence of technologies like artificial intelligence (AI) introduces new complexities and potential threats. While AI itself is not inherently dangerous, threat actors may leverage it to enhance the sophistication and scale of cyber-attacks. Organisations must remain vigilant and adopt AI-driven security solutions to counter emerging threats effectively. Additionally, prioritising resilience and business continuity measures can mitigate the impact of potential cyber incidents, ensuring organisational continuity and sustainability in the face of evolving threats.
Are more companies joining ISF because AI has heightened those risks that you’ve outlined?
SD: While AI presents new challenges in cybersecurity, companies join ISF for various reasons beyond AI-related risks. ISF offers a supportive community, valuable resources, and expertise in cybersecurity and risk management. Regardless of specific threats, organisations recognise the importance of collaboration and knowledge-sharing in navigating the complex cybersecurity landscape. ISF provides a platform for organisations to enhance their cybersecurity capabilities and resilience, ensuring readiness to address emerging threats effectively.
About Steve Durbin
Steve Durbin is the Chief Executive of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cybersecurity and the emerging security threat landscape across both corporate and personal environments. He is a frequent speaker and commentator on technology and security issues. Formerly of Ernst & Young, Steve has been involved with IPOs, mergers and acquisitions of fast-growth companies across Europe and the USA. Having previously been senior vice president at Gartner, he has advised a number of NASDAQ and NYSE listed global technology companies.
Further information
www.securityforum.org
