Why you can’t bolt on cyber security at the end of digital transformation

In this blog, we highlight Jon Steven’s best insights from Stratia Cyber’s first-ever webinar ‘Why clear goals and a people-first approach lead to secure transformation’.

You can’t just bolt on cybersecurity at the end of a digital transformation process and hope it sticks, says Jon Stevens, Senior Cyber Security Analyst at Stratia Cyber.

In discussion with Liz Murray, Global Security Culture and Awareness Lead at FNZ, and James Findlay, Principle and Co-founder of Stance, Jon explained that achieving secure transformation is just not as simple as putting a fence around stuff. “Companies can’t get to the stage of user acceptance testing then imagine that they can then ‘do cyber’, and put a padlock around everything they have built.” 

“We can all make systems that are bulletproof: they’ll never be attacked or compromised by people, but the unfortunate part is that they’ll never be used by people either.”

Jon Stevens, Senior Cyber Security Analyst

That means having the difficult conversations right at the start of the transformation process – and ensuring that the cybersecurity goals are not only clear, but also align with and support the business goals of the transformation. Together with fellow panellists, Jon concurred that a people-centric approach to cybersecurity is absolutely fundamental. 

Why people matter

Jon’s vast experience as a consultant spans many different use cases – he was very clear, however, that they all have the same thing in common. Jon reminded listeners that “people use systems, so they have to be usable, but they also have to be safe enough not to be abused.” Echoing Liz and James, Jon stressed that establishing and maintaining a good dialogue with people from start to finish (and beyond) is critical. And, of course, communicating with the board sits at the top of the priority list. 

“Ultimately, if you can convince the board to do something, they will cascade the message down to everyone within the organisation,” says Jon. “But that relationship you’re going to have with them is a very fragile beast – and the very worst thing you can do is go in and speak geek. You must speak their language and explain cyber security risk in terms that the Chief Financial Officer can understand.”

Using technical language to encourage non-technical stakeholders at any level to buy-in to change or take action comes with worse consequences than simply not being understood. Jon warned of the real likelihood that you’ll then lose your next slot to talk to the board. 

So what does it look like to put this into practice? As part of an ongoing recruitment process for a board-facing role, Jon explained that the decision was eventually made to remove the word ‘cyber’ completely from the job description. So far, this has made a dramatic difference in candidates’ ability to communicate in plain language that puts people first, as opposed to defaulting immediately to the technical response. 

Constructive criticism

Jon advocates for socialising ideas within your team as part of the planning process – needless to say this also involves talking to people. Brace yourself, he warns, for seeing your pet projects constructively torn to bits, but don’t be disheartened. Constructive feedback can trigger lightbulb moments that will ultimately save time, money, effort, embarrassment and reputational damage – because it means you have the opportunity to rethink and redesign things before they reach the wider organisation, or even the customer. And anticipating problems before they occur is even more crucial now most businesses have moved from traditional data centres to the cloud. 

Jon emphasised that cyber security must be built in; related goals and aims in any system, any project, any activity must be embedded from the beginning. Feedback – and sometimes, the more brutal, the better – helps you build a better product.

Without incorporating these fundamentals – discussing risk with the organisation throughout the process, aligning your cyber security principles with the business’s objectives – you’re not going to be secure by design, you’re going to be secure by luck at best. 

About Jon

Jon is a Senior Cyber Security Consultant at Stratia Cyber, currently working on Stratia’s contract with High Speed 2, running its information and cyber security programme and  dealing at CISO level with the biggest construction companies in the UK and the world. Prior to joining Stratia, he worked on defence programmes, including the mitigation of the effects of the Snowden/Wikileaks incident on the Five Eyes Intelligence community, after more than 20 years in the Royal Air Force working on securing, managing and controlling tactical and strategic communications and information systems capabilities.