Security Expert Interview Series: Dr Richard Diston

The following is a bit of insight from Dr Richard Diston, a Senior Security Risk Management Executive with a strong track record of advising in a broad range of complex environments. Dr Richard combines extensive sector knowledge, operational experiences and business acumen to evaluate enterprise risk at governance, management and operational levels. He discussed with us the best practices of presenting cyber security risks to senior leadership, the types of cyber threats that are the most complicated to detect, and further topics. See his website and Twitter address @therealsecdoc. Now, enjoy the full interview below.

risk management interview

1. Firstly, thank you for taking part in this campaign, Dr Richard. Can you tell us about your professional background and areas of interest?

Thanks for the invitation. I left school something of a failure with far lower than my predicted grades. I also attended and then dropped out of college. At that time, I just didn’t see the relevance of formal education and it seemed to have none of the answers I was looking for. I floated about for a couple of years before joining the Royal Air Force where I served about 7 years.

Upon my return to civilian life, I worked in security guarding before moving into IT. I left in the early 00’s to return to security and spent much of this time as a freelance consultant and trainer, specifically in the area of conflict and violence management. As the demands of my clients changed, I began studying to differentiate myself from the rest of my competitors and achieved a distinction in my MSc in Security Management from Loughborough University. This was a big deal for me, given my history with education.

Rather than just stop there, I went on to enrol on my professional doctorate in security risk management at Portsmouth University before I had even graduated from my MSc. In the final year of my doctorate, I took and passed CISSP, CISM, CISA, CRISC, CGEIT, Security+, ITIL and ISO27001 Lead Implementer and Lead Auditor as well as a few others. I spend most of my time as a consultant, educator and industry troublemaker these days.

All of this leads to my current areas of interest in security risk governance, primarily because I understand that security is a problem of organisations as much as it is a problem for organisations. As they say, a fish rots from the head.

2. You are a senior security risk management executive with a track record of advising in a broad range of complex environments. Please tell us about the challenges that excite you in such a setting.

The biggest challenges come from a range of areas. I could discuss weak corporate governance and broken security risk architecture. I could discuss the fixation with ‘cyber’ and the idea that security has a technical solution (it doesn’t, it is a people problem). I could discuss the over-promotion of IT people into security executive roles without either the calibre, character or understanding of the subject to make real organisational change.

I could discuss the issues relating to broken education in the sector or broken hiring practices. I could discuss the compliance mindset that turns the art and science of security into a tick-box exercise failure. The biggest challenges relate to all of these in one dimension or another.

In terms of what excites me? I would have to answer that it is the changing corporate dynamics and the gradual realization that the security department does not own security risk and that it can only function as a business benefit if the business itself recognises it is responsible for its own protection first and foremost. Where I encounter organisations who are willing to overcome their historical prejudices against security (some of which are entirely justified) and open to understanding the genuine business value that a well-informed, well-supported security function can provide…that has my interest.

3. One of your key competencies include security risk leadership and management. What are the best practices of presenting cyber security risk to senior leadership?

Great question but not sure about ‘best practices’ since everyone communicating this message is different. What is ‘best’ for me in one situation may not be ‘best’ in another, never mind for anyone else? The question echoes my concerns about an industry that is desperate for ‘playbooks’ and to be told ‘how to do things’ as if it were a configuration process with a clearly defined outcome. That is not how security risk works.

In principle, we need to understand what is important to senior leadership first and foremost, and how they see the world. This is an alignment conversation. We need to implement the core risk management principles in understanding their world and aspirations (context) before we start talking to them about ours. Imagine we are inviting someone to take a journey with us. Most of the time security people expect them to meet us halfway to our destination.

Never going to happen. We need to go all the way to wherever they are to pick them up. We need to do the work. Then we need to understand governance, both in terms of legislation and current trends. The current legal case that investors are bringing against the board of Solarwinds bears close scrutiny as an example.

4. What should CEOs know about the cybersecurity threats their companies face?

They don’t need to know about the threats. That is our business. They need to know about the potential effects of those threats in financial terms in relation to their strategy for the creation of secure value. Nothing else is relevant. If they understand this clearly, management support magically shows up. Remember here that ‘threat’ is a verb – it is an action. So many people don’t even get the risk language correct and make it up as they go along.

5. What critical steps can CEOs follow to mitigate these cyber threats?

Easy question!

1. Create organisational structures that reinforce accountability and responsibility, and reflect rational governance requirements.

2. Hire good people, support them, listen to them.

3. Create a cultural environment where the duty to dissent is supported and the decision-makers are the calibre of people who are not going to take professional criticism personally.

4. Lead by example.

5. Reinforce positive behaviour, enforce an organisational policy against negative behaviour.

6. Do their damn job, basically.

6. What types of cyber threats are the most complicated to detect? Maybe you can give an example from real life?

The ones that the organisation never believed could happen to them. The late Prof Barry Turner created Systems Theory for how man-made disasters are created, and it fits perfectly in this discussion. Organisations create their own disasters with their thinking and worldview, initially. When the event actually shows up, their response is suboptimal because they still have denial to overcome first. Insider threats are the ones that spring to mind. ‘Our people would never hurt our business’. Yeah, right.

7. What do you predict to be important trends in risk management and governance in the next 3 to 5 years?

Well as a risk practitioner, I don’t make predictions, however, I will share a forecast! Note that 5 years is forever with our current pace of change, so I will stick with 3. We’re seeing a rise of activist investors, and they are taking an interest in the ways that organisations are protecting their (considerable) investments.

The shift of control from the C-suite back to the board (where it belongs and where all the liability rests) is a key factor in this. I recommend the work of Prof Bob Garratt on this area. If we consider the triple-bottom line that investors are now interested in (beyond purely financial returns) provides the opportunity for security risk practitioners to begin speaking directly with the board and demonstrating value without the buffer/corruption that the C suite has presented us thus far. Of course, this will require the right calibre of security risk practitioners, which is a whole other conversation.

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview SeriesReach out to us for more information.