rost9 - stock.adobe.com
The security interview: Managing the ‘no’ mindset
Matt Riley, data protection and information security officer at Sharp Europe, discusses balancing cyber risks with business leaders’ goals
Sharp Europe sells electronic devices, appliances and equiment both to people at home and to businesses. Its business offerings have now expanded with managed services and IT support services. Matt Riley is the company’s data protection and information security officer. He has responsibilities both in the security of Sharp internally, and commercial opportunities.
Within the European business, Riley has a two-part role. The first is a more traditional data protection officer type role, which overlaps into that world of information security and ensures that the business operates in a way where it considers not only data protection risks but also information security risks.
The other part of his role within the UK business is looking at potential opportunities and threats. This covers Sharp internally, helping its business customers navigate complex issues around regulations and technology.
For instance, when the UK left the European Union, it adopted the General Data Protection Regulation (GDPR) in full, which, as Riley points out, has meant businesses could continue to operate with data flows to and from the EU without too much change.
But, he says: “The UK will likely diverge away from things like the GDPR, which leads to more uncertainty. Part of my role is to understand that level of uncertainty and then help support Sharp internally.”
Looking at technology risks and opportunities, many business leaders want to capitalise on the opportunities generative AI (GenAI) has to offer. But from a regulatory compliance perspective, Riley errs on the side of caution. “There are so many risks around GenAI that are poorly understood,” he warns.
Riley recently posted an article on LinkedIn exploring the risks of the technology, given how easy ChatGPT is to use.
“We need to start drawing some lines here. We need to start educating people on some of the real fundamental differences with the AI models, so at least people can make an informed decision,” he says.
While business leaders will want to see the benefits of GenAI, they also want to use it in a safe and secure way, he adds.
Winning hearts and minds
Like almost every IT security leader, Riley often finds himself in difficult conversations with business colleagues about what they can and cannot do from a cyber security perspective.
“My approach,” he says, “is that the answer’s never ‘no’. You don’t win hearts and minds with what is a really important subject by saying ‘no’ all the time.”
Referring to UK government research, Riley says businesses see cyber security and IT security as a high priority: “We know that the level of concern over cyber security is growing. But compared to 10 years ago, there is now much more awareness of why it is important.”
For Riley, a challenge for cyber security professionals is that the level of knowledge around cyber security is relatively low. Business decision-makers are not experts in cyber security. “Just saying ‘no’, means we’re putting up barriers,” he adds.
Riley says he uses storytelling when handling difficult conversations with business colleagues regarding cyber risks associated with initiatives or projects they want to push forward. He says: “It’s about making the risk relatable to the person you’re talking to.”
Given that IT security uses a lot of technical terminology, convincing people means providing a way for them to understand the risks in a context they can understand. “I have a lovely example with Sharp’s leadership team,” he says, where business decision-makers were able to make an informed decision on whether to take on a new wireless network equipment supplier.
“We as a company, and every company, should have a real level of due diligence over the supply chain”
Matt Riley, Sharp Europe
“It was a really, really good proposition,” he says. “Everyone was very galvanised that this was a great idea. So, I took the steps to review the company. We needed to understand how they would protect our data.”
Following the due diligence, Riley says he sat with the leadership team and asked who would like to be involved at board level to sponsor the IT supplier in question. “I then said that there were a few caveats. They [the wireless equipment supplier] won’t give us service-level agreements, they won’t give us uptime, they won’t give us any sort of reassurance that their product meets our minimum security requirements.”
Riley says that following this conversation, nobody was willing to be the executive sponsor. “I didn’t say ‘no’, but I led them to an informed decision where they came to that conclusion anyway,” he adds.
Among the growing areas of concern for IT security chiefs is the supply chain as a potential point of failure and cyber security weakness. Riley expects supply chains to continue to grow continually exponentially over the coming years. Tackling such attacks requires a cultural change, which is always difficult.
“We as a company, and every company, should have a real level of due diligence over the supply chain,” he says. “But we need to take a risk-based approach because we don’t live in a world of black and white: we live in a grey spectrum of what’s secure and what’s not secure.”
Against this backdrop, he says IT security leaders need to ensure they have put in place appropriate controls to help protect the business.
Listen to the podcast here >>
Read more IT security interviews
- Former NCSC boss Ciaran Martin talks about nation-state attacks, why the UK has become so exercised about cyber espionage, and how our leaders are in danger of misunderstanding their adversaries.
- Microsoft’s president of identity and network access, Joy Chik, joins Computer Weekly to discuss the evolving threat landscape in identity security, using innovations in artificial intelligence.