The flexible CISO service by QuoStar can help SME’s navigate the ever changing cyber-security landscape.
Cyber crime is changing quickly, it’s a global issue and its ramping by the day. The cybercrime industry is on-target to cost the world $6 trillion in 2021 and is forecast to cost $10.5 trillion by the end of 2025. Everyone is under threat. From the individual sat at home on their iPad or mobile phone, through to small, medium, and large-scale enterprises – even countries!
So how do mid-market and smaller organisations protect against the clear and present dangers? Cyber Essentials? Without a doubt, cyber essentials ‘does not’ make you secure – it is the absolute bare minimum you need to be doing; look at it like locking the doors to your house. It is the same with anti-virus and firewalls – they are no longer enough.
Does the board and IT team really understand the true level of risk they face in every area of the organisation?
How are those risks to evaluated and controlled?
Can they make the right budgeting decisions?
How do they respond if there is a breach?
How do you do deal with regulators, such as the ICO (Information Commissioner’s Office)?
Is their security stance continually improved?
That’s where QuoStar’s flexible CISO service comes in
Our on-demand service provides clients with ongoing senior IT leadership and guidance on cybersecurity strategy, management, and response from a certified and experienced CISO. They will be able to identify, control, and manage the multitude of threats and challenges businesses face in today’s rapidly changing security landscape from the get-go.
The on-demand service operates in close partnership with senior business leadership and IT teams to ensure both parties hold the relevant responsibilities and accountabilities. They will also help to run and implement Information Security Management Systems, such as IASME or ISO27001. This facilitates enhanced security governance, compliance, and ongoing continual improvement of an organisation’s security position.
The flexible CISO service is led by QuoStar’s Head of Security, David Clarke, who has over 25 years of experience working in cybersecurity, formerly as Global Head of IT Security at BT and other FTSE100 companies. David currently oversees the development, implementation, and support of QuoStar’s clients’ information and security-related risks.
David Clarke, comments:
“As a result of the pandemic, company boundaries have become much more fluid. So many employees now work from home. It’s not always clear what belongs to the company and what is personal. Businesses are now having to manage different servers, cloud services, and access control issues. Their technology needs to be safe and compliant in all these areas before it can be performant.
“Organisations need to adopt a multi-layer approach to security to manage these risks effectively, but that can be costly. With our on-demand service, however, businesses can truly afford to get the best protection possible, without putting undue strain on the bottom line.”
The on-demand CISO service follows the successful launch of our on-demand CIO (Chief Information Officer) service earlier this year. Our on-demand CISO service has already seen a rapid uptake of interest, with several businesses already taking advantage of the offering.
“We are delighted to add the CISO service, alongside or CIO service. QuoStar gives mid-market and ambitious smaller businesses access to top talent at the level they need. We’ve always been passionate about delivering measurable business outcomes to our clients. Our aim is to reduce risks and improve the bottom line.
We’ve always taken IT security extremely seriously. We have always kept up to speed with the technical controls to IT security risks. The evolution of the risk landscape, accelerated by COVID and the rise of hybrid working means we need to implement enhanced IT security governance into our wider client base. Relying on technology just doesn’t cut it any longer – organisations need to be proactively managing risk, continually.”
In his role as Head of Security at QuoStar, David leads the CISO Service. The CISO service provides businesses with the cyber-security skills and experience necessary to manage the multitude of threats and rapidly changing risk landscape of today, on a flexible and cost-efficient basis. David take’s a moment to share his views on it all.
1. How did you get started in the security field and ultimately become a CISO?
David: I was around when some of the first Viruses went mainstream. Back then I worked for one of the only companies that made Multi Factor Authentication systems in the 90’s. It was “leading edge” at the time.
I built and ran one of the largest commercial remote access platforms using Multi Factor Authentication. Then I ran Infosec for some FTSE 100 companies, one of which was the largest private trading network in the world – trading 3.5 trillion dollars a day. Another was managing Global Security Services Operations Centres (24/7) across 4 continents, where most of the customers were FTSE 250.
2. What do you enjoy most about working as a CISO Service resource/consultant?
David: Meeting challenges of audit, due diligence, and breach management.
Audit is getting more involved and complex and due diligence is often 300-400 questions and an “interview” with the compliance department of potential customers.
Breaches is about managing with around 10% knowledge of the situation and making decisions in a very short time for the best outcomes – while ensuring buy in from the board. They always seem to happen on Friday evening!
3. As Head of Security, what challenges or issues do you regularly see in small and mid-market businesses? Why do you think the same issues keep occurring?
David: 1. Robust management of access and privilege management. 2. Managing risk consistently. 3. Not aligning Cyber Security with Data protection requirements – as they overlap at a core level.
If you have control of the information assets servers and cloud, information security is much easier to manage. It enables savings in resource and effort if this happens and can demonstrate to the business control and improvement.
4. How do you think the security landscape has changed in the last five to ten years?
David: As a CISO Service lead, I believe it is manging the hybrid of internal servers and cloud – and managing the challenge of access control. The company boundary is very fluid, especially where ‘what’s company and what’s personal’ is concerned.
One of the best frameworks is ISO27001. It is good for demonstrating accountability and decision making. It also aligns with SOC2 and parts of HIPAA quite well.
5. What do you think will be the emerging risks businesses need to consider in the next 1-2 years?
David: It used to be technology first, then followed by making technology safe and compliant. Now technology needs to be safe and compliant first, and performance orientated second – along the lines of what has happened in the automotive, aerospace, building and food industries.
The risks potentially surround the technology itself not having enough security management capability, or that if it does it can be resource intensive. There’s also the globalisation of threat actors and the capability of managing multiple global data protection regulations.
More recently the US Biden government issued a memo to US Businesses in summary June 2, Stating the 5 best practices – one being Multi Factor Authentication. Other important aspects are multi-pronged backup Updates, Incident Response, external testing and network segmentation.
6. Has the Covid pandemic exacerbated security concerns or introduced new ones for businesses to deal with?
David: Probably, due to homeworking and fast transformations of moving office servers to the cloud, as well as an increase in Ransomware attacks, an increase in Data Protection legislation globally and the increase in corporate security concerns due diligence.
It has been an increasing challenge for a Head of Security. We have seen an increase in demand from due diligence enquiries, especially for more detailed homeworking policies and guidelines. So, the lines have blurred as to what is home device or a work device. The “physical office” is now the home office, and mandating rules now have to be guidelines that are appropriate – as well as using more layers of defence to protect staff and corporate assets.
7. Do you think businesses focus too much on the technical/technology element of security (e.g. AI solutions)? What other areas do they need to consider?
David: Potentially yes, without an end-to-end strategy, it makes security technology “tactics” unlikely to see a ROI, Return on Investment.
As Head of Security, I see the human element of security is also overlooked quite often. Especially when you consider that almost half of all security breaches are caused by human error. This is even more disconcerting when you consider that only 60% of employees will report a security breach too.
We are actually hosting a free webinar on that subject on 29th July 2021 at 1pm, so if you’d like to know more register for free.
8. How important is cyber-security education? What are the challenges for a Head of Security conveying the risk/educating business? Who in the business needs to receive education/training and how often?
Education is very important, as is having the appropriate training for each role ideally aligned to the companies risks – so that maximum benefits can be realised e.g. developers would require different training from HR staff, as the risk they are managing are different.
9. Do you feel there is a security skills/talent shortage? What advice would you give to businesses to combat this?
David: I’m not entirely sure. If there is a shortage, there is definitely a misunderstanding of what skills are required.
Personally, I would align the risks and the strategy, then decide what skills are required to make it happen. It may be that companies would benefit from outside help – to formulate the strategy, and always have access to a range of skill levels onboard to achieve skills resilience.
The other issues that many companies seem to come up against are 24/7 and global, so having just one capable Security resource will not be enough to cover these time periods.
10. As Head of Security, what advice would you give to businesses who want to reduce risk and increase their security posture?
David: Manage Risk regularly with key stakeholders.
Ideally do not remove a risk or lower a risk without evidence, from at least the following e.g. a Policy, Procedure, Penetration test, Internal Audit, External Audit or risk committee approval. This will demonstrate accountability and assist in managing data protection, to enable a defensible position in the security posture.
Ensure a multi-layer approach to security. Utilise things like Access control, least privilege, Approved applications, strong email defences, layered endpoint security, centralised control of endpoints and access, plus multiple point backups.
11. If there was one security investment you could recommend to businesses what would it be and why?
One piece of tech most companies aren’t using
To keep companies ahead, Secure Access Service Edge will help with Cyber security and Data Protection. The ROI is great! It releases staff time, and the payback can be in months.
You can manage risk and accountability using ISO27001 framework. If you are not going to be certified, ISO27001 also helps align with NIST, SOC-2 and can help align some components of Data protection. It can clearly demonstrate accountability.
Training that is focused to the role in the business is most appropriate, using the “Incident” metrics to tailor training and technology requirements.
Have a data/Cyber champion in every business function so you’re able to manage threats, risk and increase incident reporting capability to enable “real-time” issue management.
We hope you found David’s current take on Cyber-Security insightful. During his career David has worked across multiple sectors, including financial services, government, utilities and FinTech, working with a variety of clients – from start-up level and SME up to FTSE 100. He previously held the role of Global Head of IT Security at BT and Radianz (formally Reuters). He’s also been responsible for managing the security infrastructure and delivery of ISO 27001 for multi-billion/trillion-dollar environments. He is also an active CISO consultant on our CISO service offering.