There have been a number of occasions, over the years, where an otherwise competent company director has said to me, of technology or information security: “it’s not my field, so I don’t really have a view.” Now, there are many circumstances in which this might be a reasonable thing to say, but when one is talking about the organisation’s cyber security, it’s not so smart.
Let me draw a parallel. Does one have to be a petrol head to be interested in whether or not a motor car will get you safely from A to B? Do you have to be some kind of geek to be interested in whether or not the brakes and steering will work? Does one have to have studied mechanical engineering at University to want someone technically qualified to tell you that the engine will operate as intended?
So why does one have to understand technology to insist that the organisation employ (or contract with) someone technically qualified to assess the strength and robustness of the organisational cyber defences? It’s a relatively trivial matter to establish whether or not someone is technically competent, and it’s equally as straightforward to require a monthly report that confirms that your cyber defences have been tested, that newly identified vulnerabilities have been fixed, and that the organisation is appropriately protected.
The alternative, increasingly, appears to be coverage in the newspapers, on top of the longer lasting impacts of being successfully breached – and, increasingly, it won’t just be defence companies, as it is now: http://www.thetimes.co.uk/tto/news/uk/defence/article3690238.ece