In 2015, Kier Group CIO Duncan Stott had spent four years running IT for the FTSE 250 the construction company when he realised that cyber security was the most important subject for a CIO.
“I also realised that, like most CIOs, I am a generalist and I needed to become far more informed about security,” Stott tells CIO UK at Cyber Security Connect in Monaco. “So I took a year's Open University course in information security.
“It didn't make me a CISO, but it gave me a good grounding and helped me to be really sure-footed about what security is and what it isn't, what the perimeters of security are, what the horizon is, and what the key issues are."
The university course provided him with the basics and the challenge since then has been to carry on studying.
Stott readily acknowledges that he will never be an expert in cyber security and is suspicious of anyone who claims such credentials.
The subject changes so rapidly that no one can retain expertise for long and the best way to keep up is to continue to learn.
"There aren't experts in security, there are just learners," says Stott. "Experts sit back and are proud of what they've learned, but security professionals carry on learning day-in, day-out."
The CISO as a partner
Scott believes there are two central ways in which CIOs can keep learning about cyber security.
"One is you keep up with all the experts and security stories," he says. "You keep up with the press, you read CIO magazine, and you keep up with all the things that are happening in the world. Two, is you keep close to your CISO."
Kier is yet to suffer a major cyber security incident and Stott gives much of the credit to his CISO Jim Griffiths.
"Jim has taught me a lot," says Stott." A key way of learning about security is to keep close to the real professionals. Security today is different from what security is going to be tomorrow, and it's absolutely vital for all CIOs to keep on that learning treadmill day-in, day-out."
Stott has developed a close partnership with Griffiths that allows them to benefit from each other’s skills and knowledge.
" I have a broader perspective than him but he has a deeper perspective than me and between us we are able to bounce off each other, balance each other and challenge each other about how to handle our security challenges at Kier."
The duo divides the security responsibilities between them.
"The CIO must own the IT and security strategy and communicate it well enough to the business executives that they are able to make informed decisions. The CISO doesn't have to do that. The CISO has to implement the technical and people components of the strategy."
Working with the board
What convinced Stott that cyber security was the most important issue in his job wasn’t a specific incident that convinced but a growing awareness of the threat and a realisation that this was the issue that most concerned the C-suite.
"My board are fundamentally interested in cyber security and the risks to the business and they engage me more on that than the general breadth of IT services," says Stott.
"It was really recognising the importance to the senior business community that security has."
Stott believes that communicating the risks and methods of mitigation to the board is one of the biggest challenges in cyber security.
"This is how you should do it: the board are fundamentally interested in the impact of security. They want to know what has happened in the last quarter. Have there been leakages, has there been fraud, has there been data loss, has there been financial loss?
"Then secondly, they're interested in the mitigation, be it the people, technology, and process of accreditation.
"C-suite executives are never going to be CISOs and our job is not to make them CISOs, but they are brilliant at looking over a broad area of business and determining in their own judgement whether it's being competently managed. There are metrics we can give them around financial loss and data loss and fines and accreditations but they're very good at judging whether a programme is being managed competently."
Kier’s cyber security defences blend the technical and cultural.
On the technical side, Kier has adopted a broad suite of services from Microsoft. The company has upgraded to Office 365 Enterprise E5, which adds a range of enterprise-grade security features and displaces a lot of point solutions on the market.
"One challenge for CIOs in the security market is looking at the myriad of point solutions, many of which won’t be around for long, as they'll either be acquired or they'll decline," says Stott.
"That is why Kier has adopted a Microsoft strategy. We believe that Microsoft is one of the world's leading players and has got a toolset that is broad, deep and future-proof."
The other key aspect of Kier’s defences is education. The firm receives training materials from a specialist security communications company, which are regularly updated to keep up with evolving threats.
"We have a technical firewall and a human firewall," says Stott.
"Training has limited effect but it's still important to do and one can feel like giving up on training, but one can't. One has to relentlessly keep on raising awareness and hoping that some of it creeps into the consciousness of the breadth of employees."
Stott believes the cyber threat will continue to grow as Kier expands into new partnerships and a wider surface attack area.
His response is to keep updating his combination of defence, detection and response to incidents as the landscape evolves.
To other IT business leaders who are worried about the threat and formulating a strategy to mitigate it, Stott has two pieces of advice:
"One, engage with industry at conferences like we're at today and talk talk talk, listen listen listen. And two, make learning a core part of your personal culture and your corporate team culture."