Culture, focus, communication and industry buzzwords all need to change according to HP’s Tim Grieveson.
It is always a worry when heading to a meeting with a ‘Cyber Strategist’ regarding the level of detail that will be required. Will it get down to a motherboard-esque level? Will there be a myriad of firewall specifications to wade through?
As many know, the technical knowledge of the IT foot soldiers contrasts heavily with the technical knowledge of the C-suite – leading to the much publicised ‘knowledge gap‘ in the industry.
The industry is crying out for people who speak plainly, tailoring views and processes to both the security community and to those who champion the business case.
Up steps Tim Grieveson, Chief Cyber Strategist of HP’s Enterprise Security Products. 6 months into the job, Grieveson previously coveted both the CIO and CISO roles at G4S Risk Management as well as roles at Constellium, BT Global Services and Morrison Utility Services.
It is his mix of experience, at both C-level and on the ground, which proves to cut through the more technical terminology to simple, plain English. Which is great, because I hate motherboards and firewall specifications.
Kicking off with a well worn question regarding the threat landscape, Grieveson was quick to address my, and many in the industry’s, mistake in terminology.
"A lot of people talk about the threat landscape; I actually talk about the threat battlefield or the landmine, because it’s all about the good guy trying to navigate around the bad guy.
"It’s all about trying to navigate a safe passage and that’s all we are trying to do in information security."
The strength of Grieveson’s approach to the threat landscape – apologies, threat battlefield – is that he has both spoken and consulted with the C-suite, and sat in the chair himself. It is with that experience that leads Grieveson to urge a total rethink in the approach to security.
"It’s a change in culture. It’s actually not a technology, its people process and procedure. Approach at a people and process level – think of it in the same way as health a safety. It is the health and safety and hygiene of your infrastructure, your IP, your data.
This change in culture is rooted in communication – communication at the C-level, communication between the C-Level and IT, and it is that lack of communication and collaboration which is hindering the adoption of the culture change Grieveson thinks is so needed.
"Try to quantify it in non-techie terms; the business does not understand it and they don’t want to.
"In my previous roles I started working for the CFO and it was about cost, then worked for the COO where it was more operational and then the final part of my tenure I was working for the CEO where security became the contributor.
"Security is everyone’s concern in the business. Talk about contribution rather than cost and then the conversation changes and your budget is easier to get.
"Befriend every other C-suite – the CIO and CISO tend to be the ones responsible for security, but what about the CMO, Chief Digital Officer, CFO? All of these people should be involved in the security by design discussion."
Multiple projects, devices, and operating systems, coupled with the proliferation of data, would point to communication between IT and C-Suite as an absolute necessary business process. So why is it not happening? Grieveson points to trust as the major contributing factor.
"The business doesn’t trust IT.
"Traditionally in the past, IT has done lots of projects which have either cost a fortune, overrun or gone over budget and that’s because IT hasn’t had a proper conversation.
"So what I tended to do when I was in the seat was change the conversation into a business conversation, get earlier involvement in the project and actually quantify it in a way people understand.
"I hate the terms business and IT because that automatically puts up a barrier. IT is part of the business, it helps enable. It should be an enabler not a disabler and the other thing is, get to know your organisation."
It is not just the business approach that enterprises have all wrong – their focus on what to protect has to be challenged too argues Grieveson.
"We are not very good at securing the device and the data, depending on the applications it’s used on.
"To a certain extent I do blame some of the developers for this because they have already fixed it on the internet, they have probably already fixed it on the card but when we are told to develop an app we are told to make it faster, quicker, cheaper, available across all devices – its less about the device, its more about the data and how we classify the data."
"Understand assets that you want to protect, don’t protect everything, and actually don’t just protect your crown jewels. Lots of suppliers will tell you to put a wrap around your crown jewels, but my view is what happens if it is in the supply chain?
"Focus on the data, rather than the device and then you get security rich and it becomes easier to control and manage."