In this interview, Linus talks about the biggest cyber security challenge for security leaders, how CISOs can improve communication with the Board, and the most underrated cyber security skill.
Linus Plum is the CISO of Software AG, responsible for setting, managing, and operating the information security strategy and the overarching security program to protect the company’s assets and business processes. Linus was a panelist in the session entitled “Security incident management: Key lessons from industry leaders” at the Global Cyber Conference together with Laurens Binken (Shell), Shawn Bowen (World Fuel Services), and Stuart Seymour (BAT) at the Global Cyber Conference in 2022.
What is the biggest challenge security leaders face today and how are you looking to tackle it?
As security leaders, we have spent years perfecting our own area of responsibility, internal systems, processes, and security controls. Driven by advancing digitalization we see businesses ever-evolving to be more open and more connected with customers and suppliers.
However, in complex global supply chains, owners might have different risk appetites when it comes to cyber risks. Thus, it gets more and more difficult to achieve a holistic understanding of all the risks in the supply chain and if all of them are appropriately managed.
Not only do we need to find a solution to the lack of transparency and control, but also come up with standardized approaches on how to connect incident response procedures and communication to enable efficient support of our business functions in choosing the right supplier.
Communicating with the board is often a challenge for CISOs. How can they improve security communication?
I’ve made the experience that while every company and every Board is different, they all expect a certain level of understanding of what managing a company entails: taking controlled risks by leveraging resources to where they have the biggest impact. Many security professionals, on the other hand, tend to fully mitigate or avoid risks. Understanding the company’s risk appetite and key business risks and reflecting on them in your Board communication is crucial.
If you tailor your reporting and communication with regard to the impact on company risk, cost, and revenue, you’re off to a good start. Also, be clear in the message: If you need a decision or Board enablement it should be clear what options are available, and what is the cost/benefit trade-off of each option not only for your security team but the whole company (align this with the impacted business areas!) and how will you measure success.
Artificial intelligence (AI) and machine learning (ML) are playing an increasing role in cyber security. But can AI-based cyber security be a complete replacement for human security staff?
As a Tech company, Software AG fully embraces AI & ML as they bring great improvements and have a lot of disruptive potentials. This holds true for cyber security as well: as security leaders, we strive to employ top security talent. The reality is that parts of their jobs are not that exciting: reviewing system alerts, mapping different security standard controls, assessing system security, etc.
If these tasks can be supported by AI & ML, we free our security professionals from rather repetitive, dull tasks and enable them to focus on more qualitative aspects such as Red Teaming or connecting with the business and our customers more often to improve alignment.
What would you say is the most underrated skill in the cyber security industry or the skill you wish more people spent time developing?
Cybersecurity is a very specialist-driven discipline. Security education in universities and other training providers has increased dramatically over the last years and technical security skills, as well as knowledge in cyber security frameworks and standards, are well developed.
What l feel is underrated in security education but equally important are management skills and business acumen. Cyber security is an enabling function. To enable our businesses and customers, we must also understand how they think and what’s important to them.
Connect early, connect often, and run your security plan by your key business stakeholders before implementation. Not only will this ensure proper business buy-in for everything you do, but also that security investment is happening where it brings the most positive impact for the company.