Loading

The role of the CISO in a digitally transformed organisation

Recommendations for what Chief Information Security Officers should be doing beyond 2021 to solidify their position as a technology innovator and enabler vs. what they’re known for/get caught up doing right now:

Executive Summary

This report outlines the significant complexities surrounding the role of the Chief Information Security Officer (CISO), exploring how they should be spending their time in an era where every organisation is a technology organisation. Digital transformation was already underway for most companies, but COVID-19 accelerated the change; and cyber security has underpinned – and kept up with the pace of – that change, making it a key business enabler driving revenue streams.

Indeed, the pandemic forced companies to say ‘yes’ to cyber security risks and, consequently, elevated the CISO’s posture within the organisation. The vast number of possible tasks and responsibilities for which a CISO is responsible means a one-size-fits-all approach or conclusion would be useless. This report aims to address the problematic balancing act of the CISO function; and to provide some practical guidance for tech company CISOs in ensuring that the progress made during the pandemic continues.

This report also explores the various structures, reporting lines and the status that organisations place upon the role of the CISO. No silver bullet approach exists here; but it is very clear that senior leaders within organisations must empower the function of the CISO, allowing them to drive change across the organisation, not only within the technological space but in terms of people, skills and processes. Indeed, there is an opportunity for CISOs to agree timeframes for key changes; have success metrics incentivised; and be rewarded for achieving cultural change, not just financial savings. In all scenarios though, responsibilities and reporting lines must be clear.

Finally, skills and diversity are two key interconnected challenges across the cyber security domain. Organisations of all types and sizes must strive for increased cyber security awareness among all employees, and will need certified cyber skills to complete technical roles. There has been some success with efforts to improve this in terms of cyber skills, most notably CyberFirst. And, in terms of general awareness, COVID-19 disruption has resulted in many more people being increasingly aware of the cyber threats which can affect personal and professional lives.

But a key barrier remains: diversity; not enough women, ethnic minority, regional/socio-economic and neurodivergent candidates are offered opportunities; and organisations need to take individual responsibility for this. As this report outlines, there is no one-size-fits-all approach to build an effective security function, and diversity of thought, position and experience can only be a positive thing. All organisations can do better.

Recommendations

Recommendation 1: The CISO must help the Board to recognise cyber security as a business enabler, and a critical ingredient in helping the organisation to deliver on its digitalisation journey.
Recommendation 2: The CISO should look beyond the purely technical and focus on business risk management. The CISO must have, and embrace, wider business skills and knowledge to drive change across all business functions.
Recommendation 3: The CISO must be prepared for all types of crises: identify the principles that will guide you in decision-making – and test them.
Recommendation 4: The CISO should build a digital empathy system: use telemetry data from trends to understand how people are working in the system to improve experience and reduce risk.
Recommendation 5: Supercharge the human firewall: the CISO should sharpen security hygiene to encourage people to adopt digitally safe behaviours and be on their guard against cyber threats.
Recommendation 6: The CISO should build the case for investment in appropriate threat intelligence so that they are equipped to help their leadership teams understand the business problem in context and to support improved decision-making.
Recommendation 7: Diversity is a strength to be actively sought within the security team (and beyond). The CISO should help to hold their organisation to account on diversity and initiate conversations that provoke action to ensure a team that makes better decisions.

The value of the CISO post-2021: Elevating the role and looking to the future

Limited understanding of the technical aspects of the CISO role has meant those skills have, historically, been the most sought after. A decade ago, this might have been workable as organisations looked to avoid breaches: now, breaches are an everyday occurrence and cyber security is the problem of every staff member and citizen. The COVID-19 pandemic has also accelerated the trend by which every role and every employee has an increasing part to play in cyber defence. The metrics of success have changed but not all CISOs have adapted quickly enough alongside. Organisations need to develop a people-first approach to cyber security, making communication perhaps the CISO’s most important skill.

It’s clear, too, that the idea of having one individual carrying all the responsibilities of the CISO role is outdated and inappropriate for the digitally enabled businesses of 2021 and beyond. The CISO must be first and foremost a leader and, therefore, throughout this report we refer to the CISO as the head of a wider function.

Security is now a strategic aspect of the enterprise, even more so with the move to remote/hybrid working, and the CISO function needs to account for this. If the role is to have a true C-level dimension, CISOs should focus primarily on the long-term strategic aspects. Indeed, in addition to being prepared for the short-term firefighting, they should also provide real leadership and build a cross-organisational structure creating a security-first approach. This will, ultimately, involve spending more time focusing on fostering trust throughout the organisation.

Cyber security has traditionally been viewed as a large expense coming out of the budget, with little or no obvious link to business objectives. In a digital organisation, business leaders should see cyber security as a business enabler, which unlocks value across every aspect of the business; and the CISO must frame the cyber security team as such. The CISO should be fluent in business strategy as well as technology; think carefully about specific user requirements across the organisation; and know how to effectively collaborate on new strategies with others in the C-suite as well as the Board. The CISO should use a combination of Team Building, Managerial and Leadership strategies to steer an organisation through complex policy and regulatory challenges tied to new technologies and rising concern over privacy and the use of consumer data.

Our previous report, The CISO at the C-Suite, explored how the CISO function should have access to the Board and the Board must have sufficient awareness around cyber threats in order to empower the CISO. The CISO must help the Board to recognise and appreciate cyber security as the business enabler that it is, and a critical ingredient in helping the organisation to deliver on its digitisation journey. By becoming a trusted partner to the Board, the CISO can ensure security is more likely to be seen as a priority by other senior leaders.

At the same time, the most effective CISOs use the Board to help drive change within the business, ensuring that it understands not only risk, but the benefits of investment and good practice to underpin the next stage of digitisation. The best CISOs will help the Board to see cyber as a value add rather than a risk.

Recommendation 1: The CISO must help the Board to recognise cyber security as a business enabler, and a critical ingredient in helping the organisation to deliver on its digitalisation journey.

Key skills for a tech company CISO

Four key elements of a successful CISO

The role of the CISO cannot be one-size-fits-all. Every organisation is different, requiring different positioning, skills, and priorities. Nevertheless, there are common responsibilities which all CISOs share – ranging from the technical, such as incident response, to the strategic, such as developing a security-conscious culture.

Much like cyber security as a wider discipline, too often the role of the CISO is seen as purely technical; but this is not the case. A successful CISO must work across four key areas – and, arguably, the technical element is not the most important of these.

Broadly, the CISO’s responsibilities fall into four key categories:

1. Leadership

The CISO must be the authority on cyber security within the organisation, leading a team to develop and improve the cyber resilience of the overall organisation. To do this effectively, a certain level of experience and gravitas is required to ensure the individual can engage with the Board and subordinate functions effectively. Communication is the most important skill here, in order to effectively manage the technical and commercial functions, while ensuring the Board is aware (and acts) where it needs to.

For better or worse, large organisations are inherently political environments. The CISO must be able to navigate this, using significant political acumen and leaning on significant management experience and understanding of what makes an organisation tick. Almost always a procurer of products and services, strong networks are vital; and, more broadly, for the largest companies at least, the CISO must be respected within the cyber community, giving senior management, shareholders and investment confidence in the organisation’s cyber resilience. For long-term effectiveness this needs to be underpinned by a clear and workable strategy.

2. Strategy

No two organisations’ strategies are the same, with each facing a different threat surface, and having a different level of cyber maturity as well as different functions, cultures and purposes. The CISO’s overall role must be to improve and maintain resilience, but that might mean a number of different things. Financial institutions, for example, might already have robust controls in place and require a seasoned executive to enhance confidence in them. Perhaps gravitas is even more valuable to the organisation looking to recover after a major breach. Some organisations are looking to develop capability from a lower base, working to change ingrained cultures which require more of a focus on communication and education. Of course, in most cases, the reality is a mix of all of these. But in every scenario, the CISO must be at the centre, underpinning operational excellence, business enablement and risk management and providing clear direction on all things cyber.

3. Technical

There is, of course, a requirement for all CISOs to have a strong grasp and understanding of the technical aspects of the cyber security disciplines. At the very least, the CISO will need to understand and oversee implementation of the tools and technologies they procure. Those with a strong background in technical roles (which as this report will explore, tends to be more common than not) also often have clear oversight and involvement in the day-to-day technical aspects of the function.

Technical skills are obviously most significant when responding to the inevitable attacks. Increasingly, all organisations are coming to understand that there is not a small risk, but a near certainty of being attacked in some form by cyber criminals looking to defraud, disrupt or undermine operations. As the threat landscape expands, CISOs are devoting more and more time to firefighting, battling to protect their organisation on the frontline alongside the wider technical teams. Firefighting isn’t always external in the face of malicious cyber actors; sometimes internal projects need to be kept on track, which is often the case when a company’s posture is tactical rather than strategic, making leadership all the more important.

4. Governance

Good governance will allow the CISO to flow down the information security strategy and technical assets into the wider organisation. CISOs must drive processes into every function within the organisation, most importantly, enabling people to be the best defence against cyber threats.

In the past, organisations often viewed governance through the prism of risk and compliance – reacting to regulation such as EU GDPR or the NIS Directive to ensure the organisation is compliant, avoiding financial penalties and simply meeting obligations. This was a rather simplistic approach. Strong governance, as with strong regulation, should look beyond achieving compliance to being resilient. CISOs must foster an appreciation of the threats to ensure that all levels of the organisation understand the purpose of governance and, most significantly, the potential adverse impacts if it is not followed.

Shaping the successful CISO

This report contends that the categories identified here require broadly equal attention for the CISO to be successful. At the very least, the CISO must have oversight of, and the ability to drive, change in any of the four areas. But is that the norm?

No, not often enough! Many CISOs are too heavily focused on technical, reactive responses to emerging threats and breaches. And while this can be down to the wider business, which views cyber security through the lens of compliance and risk rather than a direct threat which might undermine the entire business, often, it’s simply because it’s built into their mindset. Technology is their area of expertise and, therefore, it’s easier to work with. Driving long-term change is more difficult to achieve.

This approach is perhaps to blame for some of the serious breaches businesses have faced in recent years. But whether there is evidence of these breaches moving the dial, in terms of awareness or approach, is up for debate.

Nowhere is this more evident than in the CISO’s standing within an organisation, where the role can range anywhere from a middle manager leading a security focused team through to a true C-suite position which allows for sweeping changes and vast resources spent on cyber protection every year. Historically, the role of the CISO was largely focused on technology and this legacy continues have an impact, forcing the CISO away from focusing on other, equally important, areas – including providing leadership and building cross-company collaboration. Indeed, it is important to note that organisational short termism can lead to CISOs devoting more energy in one area above the others, to the detriment of the long-term resilience of the organisation. As digital transformation has advanced and employees have become the primary target for cyber-attacks, the CISO must further shift the balance to focus on both people and technology.

Cyber security has long had an image problem within organisations. Despite increased exposure, security is still seen to be out of reach of many within the organisation and filled with incomprehensible technical jargon. Too often, it is the case that inexperienced or ‘technically-minded’ CISOs focus too much on their role as a manager. As JC Gaillard has suggested in his book Cyber Security: The Lost Decade, the CISO needs to build internal respect and a real leadership profile alongside their more classic managerial functions in order to be successful.

Once maturity levels around cyber security practices have reached a sufficient level, the CISO function could be shaped as more of a Chief Information Risk Officer (CIRO) role that works closely with finance, strategy, operations and other groups – indeed, this is already happening in markets such as Financial Services. The focus will, therefore, move towards Business Risk Management and less around the technical risk.

Clearly, there is some movement from organisations viewing cyber-attacks as possible to probable, and increasingly inevitable. This shift will increasingly mean that the wider categories discussed here will become even more pivotal for CISOs beyond 2021. As this report contends, the long-term implications are what the CISO should be measured upon; not on a one-year cycle or on breaches overcome, but on progress towards the goal of a better, more aware cyber posture and, ultimately, on broader business Key Performance Indicators.

In order to ensure that the CISO can achieve tangible outcomes that help to achieve their wider goals, extending the average tenure of the role should be incentivised. Furthermore, as the core expectations of the CISO evolve from addressing data breaches, regulatory compliance and third-party risk management, to being holistically responsible for business risk management, the new expectations of the role should be reflected with an appropriate reporting line. As we contend in the CISO at the C-Suite report, CISOs are integral to digital decision-making and should be considered as part of the organisation’s leadership team.

Recommendation 2: The CISO should look beyond the purely technical and focus on business risk management. The CISO must have, and embrace, wider business skills and knowledge to drive change across all business functions.

Case Study: New rules of engagement for a hybrid work force | Microsoft

A good example of innovation in the role of the CISO can be gleaned from Microsoft’s Cyber Security Response to COVID-19.

As Microsoft’s CISO, Bret Arsenault is responsible for disaster recovery at the enterprise level for one of the largest technology companies on the planet, is chair of Microsoft’s Risk Management Council and has directed the organisation’s crisis management in the wake of COVID-19.

Arsenault notes that his role is not just around technical architecture, it’s about including operational excellence, business enablement and risk management to underpin crisis response. And it is this holistic nature that enabled Microsoft to be able to adapt quickly during the first six months of the pandemic when the percentage of the organisation’s staff working remotely moved from 18% to 97%.

Microsoft handles up to around 30 different crises each year; and part of its strategy has been to plan for four types of disaster and crisis recovery: planned for acts (e.g. a weather storm), unplanned acts (e.g. an earthquake), illegal acts (e.g. a cyberattack), and pandemics.

By running regular desktop exercises to prepare for these events, across all levels – local, city, regional, national, global – and with the Senior Leadership Team up to Board level, Microsoft is able to undertake principle-based mitigations to guide its action in any situation.

Indeed, Arsenault puts the COVID-19 pandemic into context by explaining that cyber security incidents have been doubling year on year for the last five years, and we know that opportunistic bad-actors campaigns happen during, for example, government elections and global events like the Olympics. COVID is just another one of those examples that threat actors have clearly taken advantage of: the frequency of things such as phishing campaigns didn’t go up, the campaigns just shifted to this opportunistic model.

There has been an increase in ransomware, particularly human-operated ransomware; and a lot of activity against the remote desktop protocol because, of course, more people are using remote access. But Microsoft wasn’t able to respond quickly and in an agile manner to these incidents just because it was a technology company, but rather because it had prepared for crises. It had moved fairly early on towards a Zero Trust architecture, with identity driving its Zero Trust strategy as the modern control plane rather that the network.

Recommendation 3: The CISO must be prepared for all types of crises: identify the principles that will guide you in decision-making – and test them.

Data-driven decision-making

However, Arsenault concedes that although the organisation was technologically prepared for the model, it wasn’t as much in a cultural sense and remote working yielded some interesting data about balancing security and productivity while maintaining compliance.

Arsenault used this anonymised telemetry data to help make decisions for different types of roles , including looking at required capabilities and protection for those who couldn’t work from home, such as data centre staff, to improve their experiences.

This involved building a simple framework to support remote working, which looked at:

  • user identity and access (understanding how you’re going to facilitate this);
  • Multi-Factor Authentication (MFA) as part of Zero Trust;
  • ensuring all devices are managed;
  • identifying how productivity applications work best in a distributed fashion;
  • how best to run meetings;
  • access to align with business legacy applications;
  • how to monitor the service;
  • cultural and change management; and
  • designing for very specific roles.

Building ‘listening systems’ around trends/experience and understanding productivity for different types of workers, then looking at helpdesk volumes and sentiment related to this, helped see (for example) developer productivity increase to 129% of what the baseline was pre-COVID. Using data will be critical going forward as companies try to maintain productivity levels as the model shifts to hybrid.

Part of this ‘digital empathy’ model means building the tools and implementing a process that takes the security burden off the end user – so that, if they make a mistake, it doesn’t impact the whole organisation. And it’s important to balance user experience and their needs relative to the tooling and to get feedback on whether they are comfortable with the tools you’re using (facial recognition, etc.).

One of the biggest learnings from the pandemic is that having the majority of the workforce working remotely has been an equaliser – Arsenault uses the example of using the tech for meetings means you can’t talk over each other. But returning to a hybrid model changes this again, so how do you make sure you don’t lose the inclusiveness you’ve created? Asking questions and using data will help guide CISOs through how to deal with certain challenges as they arise. But this evidence-based approach will also help them to foster trust throughout the organisation – a key aspect of that leadership piece.

Recommendation 4: The CISO should build a digital empathy system: use telemetry data from trends to understand how people are working in the system to improve experience and reduce risk.

Going forward, Arsenault points out that the plan doesn’t change. CISOs must continue on the digital transformation path by enabling the workforce to be productive; they must ensure Multi-Factor Authentication (MFA) is in place for everything done and that devices are managed; while at the same time maintaining the ‘pedestrian part of the job’ in keeping systems patched and up to date.

Further areas of focus for the CISO

As well as being broadly prepared for crises and building a digital empathy model, there are, of course, many other practical steps that CISOs can take to secure the hybrid working space.

1. Get the basics right

In the recent article Why the future of your business lies in your CISO’s hands, Managing Director at BT Security, Kevin Brown notes that the increase of ransomware and insider threat risk, has pushed information security protection and Denial of Service (DoS) mitigation to the top of the business agenda. But, while this spotlights an organisation’s security function, perhaps helping to recognise it as a true business enabler, the CISO often receives limited additional funding to protect the new operational, reputational and legal risks that they’re increasingly responsible for.

There is, therefore, a need to drive change by doing things differently. But it’s also important to focus on getting the basics right such as basic cyber hygiene. Furthermore, as an organisation accelerates its digital transformation, the CISO must understand the organisation’s vital assets – the data that matters to you – in order to manage it effectively; ensure that security is frictionless and integrated from the outset; and ‘turn on the human firewall’. Indeed, Brown points out ‘the easiest way to infiltrate any organisation is still through an employee’; so by bringing all staff along on the journey to security through education, the CISO can ensure the organisation is less vulnerable to volume attacks. In addition to educating people, CISOs should ensure that measures such as MFA are set as the default, rather than allowing employees to ‘opt in’ to them.

Recommendation 5: Supercharge the human firewall: the CISO should sharpen security hygiene to encourage people to adopt digitally safe behaviours and be on their guard against cyber threats.

2. Understand your adversary

The CISO at the C-Suite report talks about ‘breaches moving the dial in terms of awareness’: but the reality is that people are now just accustomed to breaches – they expect them to happen – and this is, for the most part, the cyber community’s fault. CISOs rarely have the time or resource to conduct research into cyber security incidents, so their threat intelligence relies on word of mouth, press articles and rumour. This, consequently, leaves the CISO in the position where they are poorly equipped to brief the Board effectively about the threat in context: the reality is that only Government and the largest international businesses are likely to have access to professional, cyber threat intelligence (CTI). Up-to-date, accurate and relevant CTI is critical to a business understanding its cyber risk: poor threat intelligence will lead to poor decision-making and the CISO needs to make the business case to invest in CTI to help the business combat the threat.

Recommendation 6: The CISO should build the case for investment in appropriate threat intelligence so that they are equipped to help their leadership teams understand the business problem in context and to support improved investment decision-making.

3. Implement a Zero Trust security model

With the increase in cloud-based services, remote working, the internet of things (IoT) and use of individual devices, security architectures that rely on network firewalls and virtual private networks are no longer sufficient for today’s workforce. Therefore, more and more organisations are adopting a Zero Trust security model, based on a set of core principles:

  • implement least privilege;
  • never trust, always verify; and
  • assume breach.

This model eliminates the assumption of trust within the traditional corporate network and requires every transaction between systems to be validated and proven trustworthy before that transaction can happen. By choosing to implement Zero Trust, a CISO can enable their organisation to embrace the hybrid workplace, and protect people, devices, apps and data wherever they are located.

But how do you put it in place in real life? Earlier this year, techUK curated a collection of case studies from members to demonstrate best practice in Zero Trust. This reflects various parts of the journey being undertaken by organisations; and is designed to be useful to anyone interested in the evolving topic of Zero Trust. However, as IBM’s Martin Borrett and Jason Keenaghan point out in the article Putting Zero Trust into Action, ‘while the definition of Zero Trust may be simple, executing this strategy can be incredibly complex’.

Where to begin and where to go are closely related to what the business is trying to achieve – indeed, IBM note that those organisations who align their Zero Trust initiatives with their top business initiatives will realise a faster return on their investment – for example, securing the remote workforce; protecting the hybrid cloud; preserving customer privacy; and reducing the risk of insider threat. Each of these has a clear business outcome.

Although tools can help enable Zero Trust, you also need to assess what’s already available to you in your environment – and focus on the outcomes you’re trying to achieve. As Borrett and Keenaghan recommend: where gaps are identified, find a solution that can integrate seamlessly into your existing toolset; and build a deployment roadmap that allows you to build iteratively on your foundation.

Working towards diversity in the cyber security team

We know that diversity is important in the cyber security industry – to help it better reflect the population and benefit from different ways of thinking. Diversity also fosters creativity and, by including different perspectives, organisations will be better equipped to solve complex problems. But, of course, it’s important to recognise the skills shortages that the UK’s cyber sector faces.

This report does not look to add to the plethora of work already undertaken to document and assess these shortages: it is an undisputable fact that there are skills challenges across the board. And whether it is in attracting new talent, or retaining staff who command large salaries, it is clear that the sector has to overcome long-term and systemic challenges in this space.

Clearly, these issues have a big impact on the talent that occupies CISO roles across the country. Perhaps the starkest challenge is diversity, as the Department for Digital, Culture, Media and Sport’s most recent skills analysis highlights:

  • 16% of people in cyber security roles are women, falling to 3% in senior roles;
  • 10% of people in cyber security roles are neurodivergent, falling to 2% in senior roles.

Put simply, you won’t fix these challenges without reaching the widest possible cross-section of the population. techUK supports industry efforts to make strides in this space and will continue to try to coordinate efforts across the sector.

Ultimately, every CISO has an obligation to improve these figures – not to achieve diversity for its own sake, but because attracting new talent with varied backgrounds and experience will give your organisation diversity of thought and, with it, an ability to make better decisions; and to change, transform and drive forward new ways of working.

Cyber career pathways have never been effectively mapped out before, but thankfully Government and industry have begun to recognise and tackle this issue. From 2021, the UK Cyber Security Council will be tasked with developing the cyber security profession and with creating clearer career pathways high on the agenda. techUK, as part of the consortium that developed the Council, believes this will be of great long-term benefit to the sector and will help candidates navigate and work towards roles like the CISO itself, as well as (eventually) chartered status. This organisation should also work as a conduit, linking up academia with industry, ensuring initiatives like CyBOK work practically for both.

There are also several organisations in the UK which are focused on increasing diversity in the profession – such as NeuroCyber, which supports more neurodivergent candidates into the profession; Women in CyberSecurity, an international not-for-profit organisation that aims to bring together and empower women in cyber security; and Colorintech, which works to increase the number of ethnic minorities entering the UK tech workforce. As well as working with these organisations, a CISO should help to hold their organisation to account on diversity and initiate conversations that provoke action which actually moves the dial.

Finally, it’s not just about filling cyber security roles, it’s also about retaining talent in them – and this comes down to company culture, but also through making entry-level analyst roles less manual, less repetitive, and less boring through the re-engineering and smart automation of legacy security operational processes. Compassion and empathy are essential for CISOs who want to retain the best talent – and good staff health and wellbeing are the best asset for any organisation.

Recommendation 7: Diversity is a strength to be actively sought within the security team (and beyond). The CISO should help to hold their organisation to account on diversity and initiate conversations that provoke action to ensure a team that makes better decisions.

Conclusion

In summary, going forward, the CISO role should evolve to focus more on business risk management, and less on the technical risks; and it will be critical for the CISO to embrace wider business skills and knowledge to drive change across all business functions. Indeed, the key recommendations outlined at the outset of this report will guide the CISO as their organisation’s digital transformation continues, to ensure that cyber security is viewed as a true business enabler and to create a strong foundation of cyber security knowledge across the business.

Recommendations

Recommendation 1: The CISO must help the Board to recognise cyber security as a business enabler, and a critical ingredient in helping the organisation to deliver on its digitalisation journey.
Recommendation 2: The CISO should look beyond the purely technical and focus on business risk management. The CISO must have, and embrace, wider business skills and knowledge to drive change across all business functions.
Recommendation 3: The CISO must be prepared for all types of crises: identify the principles that will guide you in decision-making – and test them.
Recommendation 4: The CISO should build a digital empathy system: use telemetry data from trends to understand how people are working in the system to improve experience and reduce risk.
Recommendation 5: Supercharge the human firewall: the CISO should sharpen security hygiene to encourage people to adopt digitally safe behaviours and be on their guard against cyber threats.
Recommendation 6: The CISO should build the case for investment in appropriate threat intelligence so that they are equipped to help their leadership teams understand the business problem in context and to support improved decision-making.
Recommendation 7: Diversity is a strength to be actively sought within the security team (and beyond). The CISO should help to hold their organisation to account on diversity and initiate conversations that provoke action to ensure a team that makes better decisions.

Acknowledgements

techUK would like to thank the following organisations for their contributions to this report:

  • BT Security
  • Corix Partners
  • IBM Security
  • Microsoft