Cyber Security News / Security Talk Column

How Cyber Security Changes Leadership Skills

Kieran Norton believes that cyber security is undergoing an important change.

Kieran Norton believes that cyber security is undergoing an important change. As the U.S. leader of Deloitte & Touche LLP’s (Deloitte & Touche) Cyber Threat Management practice, Kieran leads a team of practitioners who assist clients in transforming their current efforts into advanced cyber threat management programs, building threat defense architectures, cultivating actionable cyber threat intelligence and responding to cyber incidents.Kieran also leads Deloitte & Touche’s mobile security service offering, works with fellow service leaders focused on key post-digital enterprise trends (mobile, social business, cloud and analytics) – and is a contributor to Deloitte’s Center for Security & Privacy Solutions. Here, he explains the change, including why your organization needs to know what data is most critical from a business perspective, where it is and how it can be accessed.


Is it your view that cyber security has forced a transformation from this being a technology risk based model to a business risk based model? If so, what are the implications of that change?

Many companies have been caught on a treadmill looking at security as a matter of technology compliance. As a result, significant time, energy and cost have gone into implementing a number of traditional security controls in order to demonstrate compliance with various regulations, requirements and “best practices.”While valuable and in many cases foundational, I think most security practitioners, and increasingly also executives and other stakeholders, recognize that the threat landscape has changed. The security controls we have historically relied upon can be bypassed with relative ease by well resourced, professional criminals who will patiently profile and repeatedly attack their target for multiple years. We read about these events on an unfortunately frequent basis.

A risk-based approach calls for a more proactive, flexible and responsive defensive posture. This means your organization needs to know what data is most critical from a business perspective, where it is, how it can be accessed, why and how it is used, and who outside your organization would find it valuable. It also implies that you need to be looking further out on the threat horizon – collecting internal and external cyber threat intelligence, using analytics to render the intelligence actionable, building smart automation into your security processes to become more agile and enable faster decision-making when high (business) risk threats are identified.


How does the move to business risk from technology risk change the leadership skill set?

The shift requires strategy, people, process and technology change on a significant scale. It requires that the Chief Information Security Officer (CISO) be able to connect with the business to understand the risks that matter most, develop plans and solutions to address those risks, and articulate those plans to executives and other stakeholders in a way that crystalizes the issue and the value of the solution. Empowering the CISO in this way will allow the company to make business focused, cyber-risk mitigation choices – without dragging everyone through the technical weeds.

That said, this is not just the CISO’s issue but requires support and involvement from the entire C-suite. The CISO can serve as a change agent in the organization if he or she has the right skills and full support from the C-suite.


What are the main differences of an organization or security vendor/company switching from a defensive tools approach to an offensive based approach?

You hear a lot about “offensive security” these days. While this is an interesting and constructive discussion, there are many open questions around what is viable and responsible. Any business that decides to take offensive measures may invite legal or civil action or may find itself the subject of a counter attack. In fact, we have seen a few cases recently where adversaries have stepped up the nature and scale of an attack in response to what they deemed as offensive actions.

For the moment, companies should consider an “active defense” – where they are not reactively responding to the tell-tale signs of a successful attack but leveraging advanced techniques to identify the coming threat and proactively respond. This involves leveraging intelligence from internal and external sources, using forensics and analytic techniques to drive faster decision-making and responsiveness to hostile activities in the network, mining intelligence for improved incident attribution to develop a deeper understanding of the origin of the attacks, and tracking key adversaries to enhance future risk analysis. 

Read more Security Talk online at 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security May 2015 Issue cover

2015 May

In the May 2015 issue of Security, learn how to be the bridge between busieness and security with "customer facing," how to effectively work with your CFO, and covert security.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.