ITV #CISO on building a security culture and managing risk
ITV is the largest commercial broadcaster in the UK, providing content for other on-demand TV services including Netflix and Amazon Prime, with a global digital footprint. Being ‘always on’ means security is at the forefront of their business, and Jaspal and his team are constantly challenged to balance day-to-day security without impacting creativity and streaming operations. Here’s the key takeaways from our recent discussion with him in the CISO conversation webinar:
1. You can’t buy your way out of cybersecurity
With over 20 years’ experience in various media businesses, Jaspal understands the security buck doesn’t always stop at the technology stack.
“Purchasing more tech doesn’t solve the issue, it’s important to have the correct security resources in the right place at the right time and aligned to your business goals and security maturity”. It’s impossible to secure everything in the ever-changing threat landscape, and throwing more tech at the problem isn’t the answer. “A large security team can often create more division and siloes within an organization, as staff relies heavily on this valuable resource in ensuring security is always covered without considering their own behavior."
That’s why Jaspal has tried to nurture and change the culture from within to ensure the entire workforce takes responsibility, understands, and considers security in their daily work which in turn helps his team achieve their goals to maximize security investments and mitigate any risk of cyber-attack. By bringing the business along on their security journey with a combined voice and force against cybercriminals who could be lurking and waiting to pounce.
2. Security is about making the hard choices, and control what you can control
Like many security leaders, Jaspal doesn’t have endless security budget and skilled security staff on hand to deploy 24/7, which means they can be stretched in different directions. During the pandemic and enforced remote working, he had to accept some level of increased risk and make hard choices about how to prioritize and protect different parts of the business.
For Jaspal, the pandemic has been a time for adapting, reprioritizing, and controlling the controllable. Understanding that when resources are tight and the threats are real, he knew he must optimize the efficiency of his security operations as much as possible for maximum coverage. Jaspal and his team have hence focused on improving the security awareness program at ITV by pulling resources from right across the business - whether it’s been collaborating with senior business leaders, or from within Jaspal’s team. They’ve used their time wisely to boost internal education and security awareness at ITV, utilizing their creative nature and engaging with staff to help them learn about cybersecurity and how it relates to their job roles. His team openly shares security insights such as vulnerability reports and risk profiles throughout the business and works with security champions to ensure they understand how security can help and facilitate bigger projects including cloud adoption and digital transformation.
Taking the time and opportunity to strengthen ITV’s cyber basics and security awareness training has helped staff to upskill on how best to deal with security issues proactively, without costing anything but time. In turn, the newfound security resilience from within enables his security team to spend less time firefighting and more time on deploying resource to the right parts of the business units which need it most, which help them to manage risk more effectively by taking a more measured approach.
3. Make security part of digital transformation, and the investment will come
For security leaders like Jaspal, it’s been a challenge to weigh up the risks during the pandemic and to strike the right balance between security vs digital transformation when it comes to investment. “It’s difficult to say what percentage of budget should be spent on security as it doesn’t account for the level of risk you face as a company, which could be different from one organization to another".
Digital transformation is key for ITV as a media business. To ensure he can support the bigger transformative goals, Jaspal engages with other areas of the business to understand the risks they’re facing across the different divisions and how they can manage security risk centrally vs locally, by helping everyone understand the potential impact of certain risks and how to mitigate them.
“The ask (for budget/investment) becomes easier if you can embed security into what the business is trying to do and show value” Jaspal uses a mix of data and business-aligned impact assessments to build the right investment case. Often security is only called upon when something bad happens, however, he has been able to create a more proactive approach to security by rolling out the cultural changes and demonstrating the results this brings to the business as whole. Jaspal continues to build upon security insights and business integration, this helps show how security investments play a key role in supporting and achieving successful digital transformation now and in the future. Jaspal acknowledges that he hasn't always got this right and is something that continues to evolve.
4. Security is a team sport, and breaking out of the ‘culture of no’
“Once you have all the departments onboard the security bus the rest becomes easier and falls into place.” Evidently, Jaspal has security controls on the ground which aren’t necessarily managed and budgeted in his team. For example, the network team doesn’t sit under security, but they are critical to running and managing firewalls. So it’s important to have constant dialogue with different departments who don’t necessarily sit together to ensure they’re using security best practice, especially when it comes to securing cloud-based technology and keeping up with the agility of the development teams.
“The security leader needs to work within the ecosystem of the organization and ensuring security is embedded within the business and proving how security strategy can help the business achieve its business goals.” On tackling shadow IT and plugging into the business at the right time and place and utilizing supplier assessment and baking that into your security awareness program is the key. “It’s important all staff are confident security is there to support them (not to say no!) and how to escalate security issues through the right channels without hindering their creativity".
Jaspal has learned that sharing a PowerPoint or video about security and asking some questions at the end once a year through mandatory training just wasn't changing behaviors and organizational culture. At ITV, they developed an award-winning escape room experience, providing a fun and gamified experience to engage with staff across all departments and using different security concepts to instill this learning.
This engaged approach has helped ITV staff to solve security challenges, and really understand how this can be applied to them in their role. During the pandemic this was pivoted to online live streaming events and games including live hacking demos and getting well-known staff at ITV to tell their own stories. These are key learnings for all colleagues to take back into the workplace to help change security behaviors and culture.