Tension-by-design is a healthy way to run cybersecurity, say panellists

Managing the friction between compliance and security is all about empathy

Managing friction in cyber security is all about communications and empathy, said panellists at Computing's Cybersecurity Live event.

When moderator Graeme Burton asked how panellists manage conflict between cybersecurity and compliance teams, Ian Hill of Royal BAM Group said, "We really rub shoulders with the compliance team. It's all about communication and trying to see things from both sides."

"It's really about understanding where they're coming from and the regulatory requirements that they're dealing with," he added, "and for them to understand that we're coming from the need for a secure, robust security posture. It's really about communication."

From a compliance perspective, this approach has worked wonders for BAM. "We're in a much better position than we were 18 months ago," Hill continued.

Erik Vynckier, interim CEO at Foresters Friendly Society, said that he rarely sees that conflict in the financial services industry.

"Our second-line [leadership], chief risk officer, chief compliance officer who is also our DPO, are very dynamic about the issue of cybersecurity. I very rarely see IT and compliance being different - everyone wants to do their job right."

If there is a conflict, it tends to be because of IT acting as a blocker for the first- and second-line of business.

External regulators demand security be baked into financial services from the get-go, and are also very "dynamic," said Vynckier.

"If I neglected cybersecurity I could not be the CEO. I would be pushed out by the regulator and I couldn't be a CEO elsewhere."

Hill said that the same is the case in construction. People outside the industry don't realise how much sensitive data, such as information on employees' mental health conditions, firms like BAM need to keep.

Jan Langham, head of security assurance at Flutter Entertainment (formerly Paddy Power Betfair), said that some tension can be healthy. "The way we've looked at it is you can have some security people becoming defensive, but sometimes good compliance programmes and engagement can accelerate security posture."

Penetration tests and other ‘real-life' cybersecurity training can help with creating this tension by design. Foresters does this frequently, each time choosing a different company that will utilise new methods and attack routes.

"This way, we learn something new every time," said Vynckier.