Flying Doctors; Old Principles, New Domain

Posting date:16 Sep 2019

Alan Jenkins is the Head of Advisory Services at 2|SEC Consulting. He has some 30 years of experience across all aspects of security, particularly Cyber and Enterprise Security Risk Management. Alan started his career in the Royal Air Force and has subsequently held multiple Cyber Security roles, including as the first CISO for Babcock International Group in 2013. He has also worked for organisations including IBM Security, Atos Consulting, CSC and T-Systems.

I see my progression into Cyber Security as natural rather than accidental. I’m a security generalist and haven’t done anything but security in my adult life. I joined the Royal Air Force when I was 18 because I liked aircraft and wanted to be a pilot. I hadn’t thought of doing anything else since I was seven until I ended up with a navigation scholarship aged 16. Unfortunately, the RAF decided that my eyesight wasn’t up to scratch for me to fly. This forced a deviation from my dream and I then went to university as study electronic systems engineering but my heart wasn’t in it. What it did do however was give me the time to find something that I really wanted to do and that led me to join the RAF Police as a Provost Officer. 

I subsequently spent much of my service on security duties until 2001 when I made a deliberate decision to get into computer network defence and information assurance – of course, we didn’t call it Cyber in those days. So, in 2002, I joined the Ministry of Defence’s stand-up CERT team as the Intelligence lead, working with Other Government Departments and Allies in the then new world of response to computer incidents. Having started in physical security, looking after nuclear weapons and so on, I worked my way up through Security on Operations at home and overseas into Information Security. That’s what drew me towards Cyber– old principles applied to a new domain.

My role at Babcock was as CISO; in fact, I was the first Group CISO at Babcock. I was initially only responsible for Cyber-related matters but subsequently picked up the broader security coordination task across the Group as we made progress with our Cyber improvement. I relished it. It was a significant career step as it was the first time that I was at the pinnacle of security capability; I wasn’t reporting to a higher level in another company - this was my first UK-based outfit and part of the attraction to me was that it put me into direct contact with the Board for the first time. 

I had to up my game – I’m not saying that I got it right straight away but after some years in the game, you know how to hone your craft and apply good practice. It was genuinely a new role, it wasn’t head of IT Security, it was a CISO role and that’s something Babcock did right.

While I progressed through the different facets of security, for me, the mindset remained on protection. However my nature and environment fashioned me, protecting an enterprise, it’s people and assets. That’s what has always appealed to me.

would say over the three decades I have been working within the space, the industry hasn’t progressed enough. People still don’t have all the answers to Cyber; many think it’s only a technology problem. That’s not to say it isn’t but it isn’t the only problem. The technology space is perhaps where we have made the most progress but just thinking Cyber is about technology or defending IT infrastructure actually misses most of the problem. It brings us back to the HR debate: how do we develop the people? That’s where the greater problem lies.

These are three things to keep in mind always. You can’t attack one pillar in isolation to the other two; simplistically, you have to tackle all three in concert - if you don’t, the weakest or lowest hanging fruit will be the thing to trip you up. If you don’t bring the people along for the ride, if you don’t optimise the process flows to minimise human interactions and integrate the technology effectively, your technology investment will not deliver full value to the enterprise.

Small and Medium Enterprises (SMEs) need someone to offer a vision, to map out where the business is at with their Cyber Security and figure out what is right for that organisation at that time - this has to be aligned with the business strategy. This is what they should look for from a CISO but, I do not believe SMEs need a CISO permanently.

Firstly, SMEs can’t afford them – fully capable CISOs are rare, expensive and demand exceeds supply. Secondly, having developed and delivered that vision piece – they no longer need a full-time CISO. What they need is for someone to drop in occasionally, increasingly referred to as a Virtual CISO (vCISO). 

I and others have been developing this concept for some time now: I liken it to that of the Flying Doctors – the vCISO drops in from time to time to review the agreed road map with the business check on progress, check the implementation plan is still right for that business and adjust as necessary while also being on call for remote consultation as the need arises. SMEs really need to look carefully at the cost/benefits and determine what they get for their money.

It could be a virtual CISO, a temporary or an Interim CISO for a fixed term: an SME simply doesn’t always need a full-time incumbent. The SME needs expertise and guidance on call but once embarked on their capability improvement journey, they don’t need a CISO for 240+ days a year because they won’t provide that ROI. The CISO will be tracking progress, reporting and simply, I don’t believe you need that person every day of the week. The business is inevitably focused on whatever line of business they are in; the CISO has to talk to the business but, the business doesn’t always have time to talk to the CISO. The Board doesn’t meet every day of the week nor even weekly but the CISO should bein attendance on a routine basis, not reporting by exception - with bad news!

To be that all-important leader - and that in itself is different to a manager – the CISO needs to be able to come in and sell a vision. That vision has to be linked to; and supported by, the business and the CISO needs to be able to communicate that message to the Board in their business language, not in technical jargon.

The CISO should have expertise around programme management rather than project as it’s often a series of activities, many in parallel. The CISOs role is to articulate and sell that vision and make sure there are success criteria in there, the measures of success of that criteria, with a link to fiscal targets; whether that’s spend targets or return targets, and what are you getting for your money. This is still a huge weakness for us. The ROI for Cyber investment is not good: there is stuff happening in this space but it’s still not mature and not yet universal in use as a result.

Enterprises need to think carefully when looking to hire that ‘Ideal CISO’. It’s not just a label and then letting them get on with it. If you’re looking to appoint a CISO, whether to work as an Interim or on a full-time basis, then they need to be connected with the business, not just IT. Perhaps controversially but I don’t think the CISO should report to the CIO. It’s not all about IT, they’re often rebadged Heads of IT Security and that’s not all that the business needs from the role. After all, the CISO often calls out the CIO for taking on too much risk as they prioritise availability.If the CIO’s main function is to keep the lights on, availability will also govern the CISOs priorities.

Security often needs to look much harder than IT to know what was the root cause of an Incident. It’s all about understanding and prevention. Most often, the security function is there to do the thinking that the business doesn’t do, it’s almost a mindset piece, looking out for the things that can go wrong. I have found that there’s too much optimistic thinking and not enough pragmatic thought about untoward things happening whether by accident or design, i.e someone overstretched cutting a corner to get the job done rather than some more malicious motivation. Security is there as a check and balance, not there to slow the business down but to give more thought about what is happening and how to prevent it or reduce the impact and that’s often not the priority of the CIO.

Hierarchies and divisions of responsibility need to be right between the roles but an SME or smaller company doesn’t always have the luxury to afford this. This is where a virtual CISO becomes helpful and offers a perspective that they wouldn’t usually get, providing this is positive and aligned with their business needs.

It’s also hard to learn from others if you spend 30 years in the same company.A CISOs role is to make sure all of the day-to-day roles come together to secure their business in a cohesive manner. Security is a horizontal activity, not merely a vertical one in the IT space: it’s also everyone’s responsibility! 

In an ideal world, we wouldn’t need a Cyber department as the workforce would all protecting the business. Then there is Security’s Achilles heel – the good are most often playing catch up with the bad. We have to get more pro-active rather than the more usual reaction to events after they have occurred. Security is neither an art nor a science, it has to be a hybrid function.

For full access to our white paper - The Evolving Role of the CISO - please follow the download link and join the conversation, should we segregate IT and Cyber Security? Do we need 'flying doctors' rather than in-house security and is Cyber Security - everyone else's responsibility?