Bridget Kenyon is the Global CISO for Thales eSecurity where she manages operational information security across the organization. Previously, Bridget has served as the Head of Information Security at University College London where she built and matured the information security governance function for the university. Bridget is a member and editor for the International Organization for Standardization where she has edited and developed the management standards in the 27001 series. Additionally, Bridget has published a book on ISO 27001, which serves as an ideal guide for organizations preparing for the certification.
One of the greatest challenges that I have faced at Thales eSecurity has been the ongoing divestment, acquisition and merger activity that is currently taking place across the organization. With this occurring, it is important that we are appropriately transitioning all of the systems as well as spinning up new IT environments as required. With the merger, we have two separate environments that need to merge, and we need to ensure that they become aligned. For example, our organizations had two separate classification schemes for data. We had to work out how the schemes would fit together, considering things such as how policies and processes were being used in practice. One of the most exciting things with this merger, though, is that it has unblocked some of the security initiatives that I was trying to get started. Finally, with the merger it is a good chance to re-assess who has access to what, such as elevated privilege on certain systems.
First – clear and simple communication. With the changes that are currently taking place across the organization, it’s important that clear communication is maintained at each level. One of the great things about this organizational change is that it has given us the opportunity to re-define aspects of our reporting and ultimately fine tune and simplify it so that it can become more effective. A second principle is to make sure that ideas are actionable. There is a tendency in information security to provide a lot of technical details dressed up as KPIs. Ultimately this heap of data becomes more of a talking point rather than an actionable item. Third, as security professionals we should be coming up with strategies and solutions to support the business. In the end the business is our customer, and everything that we do has to help it become better, not get in the way.
I think of human error not as a fault in our make-up, but as an intrinsic part of human behavior; we have evolved to find and use the most efficient and energy-efficient solutions, so it’s totally normal to want to write a password down if it’s hard to remember, for example. Making security work for us is about understanding how people operate, and the decisions they make in real life situations. It’s also vital to equip people with a better understanding of the risks. Giving staff a to-do list without any context, for example, is not a reliable approach- while half of your audience may indeed just want to know what to do in what order, the other half will ask “why” something is being required, and balk at adopting a seemingly arbitrary set of rules.
The other side of this is the idea of changing business processes and technology to better support employees. I believe that the purpose of IT is to support people performing business operations. If the IT processes are fit for the business purpose, then employees are not expected to stretch and bend their essential behaviors to fit the technology- and security issues are prevented. To avoid people writing passwords down as in my previous example, you could provide a password manager, or use fingerprints instead of a password for logging in.
At UCL, we had a password management system where students and employees had to change their password every 150 days. The worst problem with this system manifested when students had been away from UCL during the summer months; when they came back to UCL in the autumn term they had either forgotten their password or it had expired. This resulted in massive queues of students at the Service Desk during the first few weeks of term, as passwords had to be reset in person. We realized that we needed a way to improve this system and, due to our set-up, it had to be an in-house solution. After much thought, I invented a password reset system where, when the end user typed in their new password, there would be a colored bar underneath, indicating the strength of the password (nothing new here, but bear with me). Next to the bar was a number, and that number increased when you created a stronger password. The truly novel part was that the number represented the number of days that you got to keep that password! We had this system implemented, coupled with a system that would help you reset your password with SMS, and it helped solve the problem.
I believe that there are two elements. First, there are a lot of role models out there – but they’re unreachable. Somebody who is considering coming into cybersecurity may look at these role models and feel like they represent an unattainable ideal. A woman may work as a CISO; however, how many other women fell by the wayside? I would like to see more stories of women in reachable security positions. The second point is to encourage recruiters to suppress their bias when hiring and be less surprised when they are faced with a woman applying for a technical or leadership role in information security.
I strive for a culture where the different parts of the organization are aware of how they can have an impact and contribute to security. I want people to feel a sense of agency and have the ability to propose change within the organization. We need a collaborative approach to security. The board, for example, could prescribe an outcome, and then it is up to the employees throughout the organization to work towards fulfilling it. I believe that it’s important for people to play a part in designing the policies that they themselves must comply with.