"You have to tell a story that people want to listen to," says Davies CISO

Trying to scare budget out of a board doesn't work

Samantha Hart, Group CISO at Davies talks about how the role of CISO is evolving, why reporting lines matter and why CISOs have to be storytellers.

Davies is a specialist professional services firm specialising in insurance, financial services and highly regulated businesses. The company employs approximately 8000 people across 40 countries.

Recent reports and events suggest that across swathes of the public and private sector, most recently the MoD, complacency prevails about the extent of risk facing the UKs commercial and critical infrastructure. The causes of this complacency are varied and complex, and fixing it is going to involve a shift in everyone's mindset.

According to Samantha Hart, part of the problem is the reporting lines of CISOs and the perceptions they can create. If a CISO reports into a CIO or a more general technology function, then the perception arises that security is a technology problem, and that technology people alone are responsible for maintaining it. Recent research from Computing suggests that these types of reporting lines are contributing to stress and burnout in cybersecurity professionals.

"I report to the Chief Risk Officer," says Hart. "I think a reporting line straight into the board is really important. My line isn't seen as part of tech infrastructure but you have to cultivate that view. It doesn't just happen."

This is where Hart thinks CISOs and perhaps those in roles requiring less experience like Information Security Manager, need to be careful in how they interact with those in executive roles.

"My background is technical and I don't do the things I used to do, and I'm sad about that sometimes, but I still apparently talk in acronyms which I am trying very hard not to do!"

Scare tactics don't work

Like CIOs and CTOs, CISOs need to be storytellers. Those stories need to be relatable for for every level of employee. CISOs must persuade people to moderate their behaviour without being perceived as the security police. They also need to avoid the trap of being seen to overstate risks therefore encouraging people to ignore warnings in the future. It's a difficult line to walk.

"We use real life smishing and WhatsApp messages, whatever's purporting to be from the CEO today that's come in, we show it in training," says Hart. "I get two pages in the monthly magazine. I don't use acronyms, I show people what's coming in and I try to link it back to real life. If people maintain security in their personal life, they'll bring it to work. People listen if you make it personal but you have to tell a story that they want to listen to."

The same logic applies when communicating up the business. CISOs have to think hard about what they really need.

"Scaring people will only go so far and there's only so many times I can go to the board," she says. "I like cyber risk quantification. If I can take it all back to number that helps because I'm talking to businesspeople. What I would say to any CISO, if you can, is to ask your insurer for some cyber risk quantification. Ask for time with them. Ask them where the claims are coming from in the cyber insurance market because it gives you another view of the threat landscape.

"You can find out how breaches are getting in and find out what's making the most impact. What's causing businesses to go bankrupt? What are the financial losses that are unrecoverable?

"That translates a lot better than talking about zero trust or network micro segmentation."

Plan for the worst, try to screen out the noise

Hart is bracingly realistic about the scale of the threats to Davies assets.

"I work on the premise that it will happen and it will keep on happening because the threat actors have resources I don't have. I can't keep going to the board and asking for more. You've got to assume that you will have an incident and work to minimise the blast radius by blocking lateral movement and controlling data access.

"Containing the blast radius will help you with any regulatory and client matters but the other side is working with IT on the operational availability aspect. I look after the confidentiality and integrity and then work with IT colleagues on getting us back up."

Day to day, Hart's biggest headache is data volumes, and the impact of the enormous quantity of regulation she also has to stay on top of.

"To protect data I have to govern it and governing data is very difficult. Every person is a data creator and we hold a lot of client data. We also have elongated retention periods and all manner of reasons that we can't delete data. To reduce the blast radius of a potential attack I need to know where it all is and what we do to control it all.

"We've got global privacy regulations like NIST, DORA and New York Cyber. There are loads of other insurance cyber regulations. Keeping on top of that regulatory landscape is challenging, and we have to file, register and prove we're compliant."

Like everyone else working in cybersecurity, Hart is concerned about what AI will being, not just in terms of threats but in volumes.

"There will be more threats and better threats, and then there will be more AI and automation because human eyes just can't cope with it anymore. There'll be more data growth, the volume of tasks will grow. The challenge will be cancelling the noise and focusing. You'll need noise cancelling headphones for life!"