As cyber breaches dominate headlines and disrupt businesses across industries, the ripples extend far beyond the IT department. From legal ramifications to reputational damage, the impact of a security incident can shake an organisation to its core.
So why do many companies still treat cyber security as an isolated technical problem?
This question lies at the heart of the challenges facing today’s security leaders, according to Christian Toon, Head of Cyber Professional Services at Pinsent Masons. In a recent conversation with Dan Haagman, CEO of Chaleit, Christian shared his insights on how security leaders can elevate their role, break out of technical silos, and position themselves as strategic partners within their organisations.
Watch the interview, read the main takeaways below, and get ready to put your cape on.
The security superhero model
Christian draws an interesting parallel between building an effective security team and superheroes, emphasising the importance of diversity in skills, experiences, and backgrounds.
“The best analogy I’ve got is around how the Marvel Avengers have the absolute kind of ideal blueprint for a security team to bring together people that wouldn’t normally work together, that have these special diverse skills and experiences to really step up to the plate when it matters,” he explains.
This approach helps create a more well-rounded and capable security function that can address the multifaceted challenges organisations face today.
Security is typically seen as an isolated station within an organisation. We're guilty of perpetuating that stereotype by claiming that what we do is too technical or detailed for anyone else to understand.
Breaking down security silos
One of the key challenges Christian identifies is the tendency for security teams to operate in isolation. He stresses the importance of building collaborative relationships across the organisation.
“Security is typically seen as an isolated station within an organisation. We’re guilty of perpetuating that stereotype by claiming that what we do is too technical or detailed for anyone else to understand,” Christian observes.
He advises security leaders to focus on building relationships during “peacetime” to ensure they have the necessary trust and recognition when crises occur.
Collaboration enables security leaders to gain more traction with senior leadership and ensure that security concerns are viewed through a broader business lens.
Aligning security with legal and business priorities
Aligning security efforts with legal and business priorities is becoming increasingly important, according to Christian, who suggests that security leaders should work closely with general counsel and legal teams to amplify their message.
“I find that if security leaders start building relationships, rapport and joining forces with their general counsel or legal teams, they’ll have more weight going into conversations. United together in a common cause, the legal teams want to ensure compliance and make sure that how the organisation deals with breaches, legal matters, etc., is in the interest of the business,” he stresses.
This collaboration enables security leaders to gain more traction with senior leadership and ensure that security concerns are viewed through a broader business lens.
Christian also emphasises that while security is crucial, it’s important to recognise it as one of many vital components of a successful business. He points out that security leaders often believe they should have a seat at the board table due to their critical role. This perspective can be counterproductive because “there are many other seats at the table that help run that business and are equally as important”.
He encourages security leaders to consider their role within the broader context of organisational priorities and to develop strategies for effective collaboration with other key business functions.
Christian suggests that burnout among security professionals often stems from leaders striving to implement perfect security measures across all areas, which can be unrealistic and frustrating. Security is a “game of give and take,” he emphasises, and accepting varying levels of maturity across different security programs with a solid risk management foundation can help relieve the stress.
Many businesses lack the in-house skills necessary to determine their cyber security needs.
Vendor challenges and commoditisation of services
Another important challenge organisations face is to navigate the complex security vendor landscape. Christian notes that while experienced security leaders often know what they need, many organisations struggle to make informed decisions.
Many businesses lack the in-house skills necessary to determine their cyber security needs, he points out. These organisations are often told that cyber risk is among the top three global business risks, creating pressure to take action despite their limited expertise.
In this context, companies need a more critical approach to vendor selection and implementation, with an emphasis on proper control design and threat modelling.
Christian predicts a shift towards commoditisation in certain security services. He cites managed services such as security incident and event management or penetration testing as an example, suggesting that much of this work will be automated in the future.
This trend could lead to more competitive pricing, which he believes would be a positive development for the industry. Budgets continue to be squeezed. “I‘m tired of seeing vendors invest in sponsorship and marketing opportunities that seem more like a competition between vendors than demonstrating value to their customers. I just want a good product at a fair price,” he concludes.
A Security Operations Centre (SOC) might be running efficiently, but if it hasn't been given the right set of use cases or hasn't considered the organisation's unique threat landscape, it may miss critical security events.
Security control effectiveness
Discussing security control effectiveness, Christian explains that failures often stem not from the day-to-day operations of security controls but from their initial design.
Many organisations implement security measures without thoroughly considering their specific use cases or conducting comprehensive threat assessments. For instance, a Security Operations Centre (SOC) might be running efficiently, but if it hasn’t been given the right set of use cases or hasn’t considered the organisation’s unique threat landscape, it may miss critical security events.
Christian emphasises the importance of involving legal counsel in these design processes to ensure that controls meet regulatory requirements and can be defensibly deemed “appropriate.” This approach shifts the focus from merely implementing controls to thoughtfully designing them to address an organisation’s specific risks and operational context.
Root causes of breaches
The vast majority of breaches can be traced back to an initial human vulnerability in the attack chain, Christian concludes from experience. This typically involves an individual’s account being compromised through conventional phishing tactics or email-based attacks.
Looking forward, he emphasises the need for organisations to:
- Improve user education and support, including the mental wellbeing of employees and security teams,
- Enhance internal controls and network segmentation
- Develop robust backup and recovery capabilities
While preventing intrusions is ideal, organisations also need a robust recovery plan. If a breach occurs, how can they quickly restore functionality and minimise downtime? Christian stresses the importance of assuming a “breach state” and working backward to limit potential damage.
Christian’s insights highlight the need for security leaders to think beyond traditional technical boundaries. By fostering collaboration with legal and business teams, adopting a diverse and adaptable security model, and focusing on practical, business-aligned security measures, organisations can better manage risks.
Leaders who can bridge the gap between technical expertise and business sense will be best positioned to protect their organisations and drive value. And we’re here to help.
Let’s discuss your organisation’s challenges and how a holistic cyber security model