CISO must act as a translator between technology, security jargon and business risks.

CISO Interview series: Professor Paul Dorey Ph.D. Royal Holloway, University of London

Question 1: Paul I’ve noted that you are both a Professor and Practitioner in the field of Cyber Security. Where is your greatest passion in the field of Cyber Security – what gets you really excited?

Cyber Security can come across as the technical domain of ‘geeks’ and I most enjoy helping business leaders understand the business relevance of security risks and capabilities. It is really powerful when a business executive or Board of Directors grasp the significance of this new risk area and start to drive security decisions and opportunities rather than reacting to scare stories.

Question 2: In the past you have established office of the CISO in various industries. When you are searching for a CISO – what are the key critical attributes that you seek?

Because business engagement is so important the CISO must be a strong communicator able to act as a translator between technology, security jargon and business risks. General Managers usually don’t work out because they cannot call the bluff of the technical people, and the right level of security paranoia is an acquired skill. The successful CISO needs to gain the confidence of business, security and technical communities and so be credible in all three dimensions.

Question 3: As a person who works and consults on the subject of ‘trust’, then I’m intrigued how do you judge the integrity of a person that you have just met?

Trust always takes time to be earned and it is remarkable that most of us are quite so bad at making these decisions. Con-men are only successful because they are trusted so easily. I am probably as fallible as anyone else but good security professionals do believe in ‘trust but verify’ and I will check on facts and with other sources if something really matters professionally. I think all of us rely on robust personal introductions when we can get them.

Question 4: The constant stream of personal data losses from companies seems to show a very cavalier attitude by business to the security of personal data. Would you agree with that?

The incidents that we read about are indeed shocking, especially when the security weaknesses such as exploits on web sites are not new discoveries and are well known in the security profession. Again, I think we are seeing a break-down in communication between the security team and the business that they serve. I cannot see a Boardroom truly accept major risks to customer data if they had it explained to them in the right way.

Question 5: The recent cybersecurity breaches causing power outages in the Ukraine Energy sector were somewhat predictable given the recent Russian conflicts and ongoing tension. More generally, Critical Infrastructure in many countries in my opinion looks to be underdone. Do you agree with my assessment? What can be done to address this gap??

We are at a very interesting state in cybersecurity where the vulnerabilities built into critical infrastructures in the past are only just starting to be properly understood. Some infrastructures will be resilient because they are just too old to be ‘hacked’ but some more recent technologies have weaknesses that need careful security management. What many are working for in the next generation of systems will be to have security designed-in from the start and there is a lot of activity to this end.

Question 6: The global shortage of cyber security staff means that the risks for enterprises and government will get much worse before it gets better. What’s your vision around how this is fixed – does machine learning help to remediate the situation?

We do need to considerably increase the number of good cybersecurity professionals that we have, but you are right to look at other approaches such as automation. At the moment many cybersecurity operations jobs can be very repetitive and time consuming so process orchestration presents a great opportunity. And, of course, if we designed security in from the start then some problems would not need managing at all.

Question 7: When you talk to Boards on Cyber Security and asked: ‘how much do I need to invest in Cyber Security?” How do you answer this question??

As you might expect, there is no single right answer to the amount of investment required for cybersecurity, and in fact the Board never ask that question. They are concerned about the strategic and reputational impact of a cybersecurity incident and they look for assurance that those risks are being managed. In reality the sum of money is always smaller than most other financial decisions the Board would make and I have never seen cost be a barrier.

Question 8: What is your personal opinion around the relative strengths of different cyber security credentials? Which credentials do you give greater credence to?

There are now almost too many credentials in cybersecurity and it is difficult to choose one above the other. In the UK we found that knowledge alone was no substitute for wisdom and experience and so founded the Institute of Information Security Professionals to give post-qualification professional accreditation by a panel of peers. It’s rather like having a medical degree vs. being a qualified Doctor. I have my full membership and I know that I earned it. We hope other countries will follow suit.

Question 9: In the field of Cyber Security, where do you see the greatest weaknesses? Are there any strengths or is this just relative to the gaps??

We seem to be very good at looking backwards and ‘fighting the last war’ as we have good skills in the security of internal company networks and traditional IT systems. But we are moving rapidly to a world of cloud computing, mobile devices and the Internet of Things, and it is here where security skills and knowledge is in short supply.

Question 10: Professor Dorey, you have a private audience with the Prime Minister to brief him on Cyber Security. What are the 5 key pieces of advice that you would provide?

Governments are driven by the timescales of popular opinion and the next election, so all my advice would be to take a 10-15 year view instead and:

  • Educate the population and particularly school children to understand and learn good cybersecurity behaviour and practice.
  • Invest in developing cybersecurity skills through university education and research programmes and through cybersecurity apprentices.
  • Require digital service providers to provide managed cybersecurity services as part of network provision to the home and to the Internet of Things.
  • Provide incentives to have critical infrastructure developed and refreshed to be secure by design.
  • Require companies handling large amounts of personal or sensitive data or operating critical services/infrastructures to have qualified and registered cybersecurity professionals accountable for security assurance.

Join the CSO newsletter!

Error: Please check your email address.

Tags CISO interviewIT systemspersonal data securitypersonal data losssecurity jargonCISOscyber securityCISO Leaders

More about indeed

Show Comments

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Media Release

More media release