Cyber Security Consulting is not about telling clients they are wrong!
Cyber security has been around for a while now however its meaning remains unclear. In fact, a taxonomy of cyber security would be very useful as terms and ideas are banded about without any clear definition. One thing does seem clear is that there is a perception that if you offer cyber security consultancy you will be finding fault and telling people they are wrong. Nothing could be further from the truth.
When I have been engaged in cyber security consulting projects I have dealt with highly skilled and talented professionals. Cyber consultancy often begins in the IT department and there are a range of technical tests that need to be undertaken. These tests are not new and IT managers are familiar with them and pose no threat. They have been testing their systems for years and penetration testing is a well-established part of the IT security landscape. The results of the tests are acted upon without any recrimination of the IT department. My experience is that most IT managers embrace the cyber security but feel frustrated as they know it is not simply an IT problem.
On the other hand, mainstream business managers think cyber security is an IT problem and the IT department will take care of it. So, they ask after all the technical tests are complete and the reports are presented why is cyber security is still an unsolved problem? So, who is to blame? Who is at fault? Everyone appears to be doing the best they can, and cyber security issues still hang around. This when everyone can get a little worried. IT have done their job and the management think they have done all they should.
We need to look at other areas of an organization to tackle the problem. There is a rising awareness that cyber is not just about IT but includes SCADA systems, however the means of tackling and managing these together is still in its infancy. Yes, there are standards and polices for SCADA but the integration of SCADA, IT and organizational responsibilities at board level is not there in most companies.
Deploying effective cyber security is an organizational issue. Its not about telling people they are wrong but about getting the right people in the room together at the same time. Ideally there should be HR for policies and procedures. IT and building control for technology and management for unique and standard business practices.
By doing this we have a handle on people, processes and technology and the right people in the room to deploy effective cyber security and not tell people they are wrong. In fact, it is only these people who can solve the cyber security problem in there organization, because they understanding it better than anyone else.