Using Cybernetics to Tell the Security StorySam Lodhi Explains How New Models Can Get Board's Attention
Cybernetics - the science of studying communications and automatic control systems - has emerged as yet another innovative way for practitioners to translate security in context to business (see: Metrics Project May Help CISOs Measure Effectiveness Better).
Sam Lodhi, director at Integrated Business Research Systems, a niche professional services firm specialising in technology, risk and business consulting, who is also currently serving as information security transformation director (CISO) at a government healthcare agency in the UK, has taken an approach which uses biological cybernetics - or cybernetics applied to the biological context. This has helped him with explaining the nuances of information security risk to his business stakeholders, who are professionals in the healthcare and biological sciences fields.
Making a case for security investments can be tricky, he says, and the value of security means different things to different business stakeholders, depending on their perspective and their patience. While no one disputes that security is necessary, many stakeholders are ambivalent about the concepts and do not care for the technical minutiae with which practitioners tend to bombard management (see: Treat Security As a Business Problem First).
"Getting the right engagement from stakeholders is a big challenge for practitioners today," Lodhi says. "A cybernetics-based model can help get the attention security needs by speaking in terms and concepts that business can relate to, using structured, rational analogies from the business's own context, which helps stakeholders understand risk better."
Cybernetics as a science actually provides formal engineering language and diagrammatic approaches to systems analysis, which can be adapted to present information security risk much more credibly, Lodhi says (see: Security: How to Get Management Buy-In).
In this exclusive interview with Information Security Media Group (see player link below image), Lodhi explains how he uses cybernetics to formulate his model to communicate with management and some of the pros and cons of the approach. He also touches upon how this model can be emulated in other verticals. He speaks about:
- Applying cybernetics in the information security context;
- Why the biological cybernetics-based model worked;
- Broader applicability across verticals.
Lodhi is the director at Integrated Business Research Systems, a niche professional services firm specialising in technology, risk and business consulting. He has almost 20 years of experience in enabling security strategy, and has successfully influenced executive committees, sat on group boards to direct security and technology strategy and provided oversight has a non-executive director. He is currently serving as the information security transformation director (CISO) at a government medicines and healthcare agency in the UK. Opinions expressed are personal.