In the latest instalment of Cyber Insiders, we had the privilege of sitting down with EasyJet’s Chief Information Security Officer (CISO), Paul Midian. In this episode, Paul delves into the challenges that security leaders face in an evolving and heavily regulated cybersecurity landscape. With a remarkable 25 years of experience in information security, Paul provides valuable advice on articulating cyber risk to business stakeholders and strategies to avoid falling into the trap of being perceived as the “department of no.”
Organisations, often eager to harness new technology to gain a competitive edge, can quickly clash with security teams who are typically cautious of implementing untested tools. Unfortunately, this caution occasionally paints security as the “department of no.” Paul asserts that a categorical “no” isn’t conducive to business dynamics.
“If you become a department of no, then the business will just go around you, and you’ve effectively lost,” Paul says. Instead, he thinks there needs to be greater emphasis on the importance of transparency and mutual understanding as linchpins in building a symbiotic relationship between security practitioners and business leaders.
Paul advocates for plain speaking, transparency, and openness to foster a climate of trust. “Like anything in life, once you can communicate and empathise with each other’s requirements, you can find common ground and a mutually beneficial compromise that works for both parties, but it has to be relationship-driven rather than transactional.”
Articulating cybersecurity risk, security challenges, and the value of cyber to a non-technical audience poses a unique communication challenge. Paul believes the cyber industry needs to shed the cloak of mystique that sometimes enshrouds security discussions. By avoiding a historical tendency to exaggerate risks, security professionals can authentically convey the reality of threats and promote meaningful action.
“I’m a big advocate for less fear, uncertainty and doubt. We as security professionals also need to hold ourselves accountable for not trying to dress up risk into something that it isn’t. A lot of my work over the years has been delivering messages to a business that they don’t want to hear or trying to persuade them to do something they don’t want to do. On that basis, you need to get good at selling.”
Paul recommends keeping it simple, “Don’t bamboozle your audience with jargon, or you’ll lose their attention. Put risk in context; talk about what’s happening outside the business in the cyber landscape. This approach enables us to have much richer conversations and stop narratives from going sideways around the business because that’s when people get confused and stressed.”
Paul’s perspective on building robust security teams is grounded in affording them autonomy. He believes in providing capable individuals the freedom to think creatively and contribute meaningfully. Paul encourages team members to focus on their core task – detecting and deterring attacks – while offering resources and support when escalation is necessary.
“I’m really clear with the team that their role in security operations is to detect and deter attacks. They don’t need to worry so much about what the impact on the business is; that’s my job. I want them to concentrate on dealing with the attacks, but if something looks like it’s growing arms and legs, then escalate that incident to me, and I’ll have those conversations with the business. You almost need to build a bit of a virtual wall around them to allow them to get on with what they need to do. Their number one priority is dealing with incidents, full stop.”
Defining roles and priorities facilitates focused missions, and hiring additional resources or third-party providers can help prevent burnout and reduce coverage gaps, ensuring efficient security.
Shaped by his experience in the heavily regulated aviation industry, Paul welcomes regulation. However, he recognises that the dynamic nature of cyber threats presents challenges to regulatory frameworks. Paul urges collaboration when engaging with regulators.
“From a cyber perspective, you don’t want regulators to necessarily tell you how to do something. Regarding information security, regulators still have plenty to figure out; the technology and threats are evolving so fast that they’re often playing catch-up. The trick with regulators is to help them understand the direction of travel because cyber is very much an emerging discipline.”
By fostering a cross-industry conversation and proactively involving regulators, Paul believes security professionals can lead in cultivating mutual understanding between the industry and regulatory bodies. This stems from relationship-building rather than transactional interactions.”
Listen to the full podcast for more insights and advice from Paul on enhancing your security operations.
Don’t forget to follow our cybersecurity podcast and turn on notifications to ensure you never miss an episode of ‘Cyber Insiders’. If you enjoyed this episode, please like and comment on our page.
To learn more about cybersecurity, visit our Cyber Hub where you’ll find reports, white papers, and articles on a wide range of topics.
Stay up-to-date with the latest threat insights from Adarma by following us on Twitter and LinkedIn
If you would like to discuss cybersecurity, learn more about managed detection and response services or any of our other services, please contact the Adarma team at hello@adarma.com.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
