Mike Trevett, Director, UK&I of FireEye knows about risk – he was part of the management team at the government Office for National Statistics and has worked in the Cabinet Office. As a risk specialist, his message is on of “keeping it simple”.
Risk is complex enough and there is always the danger of customers saying “Why bother? – it is difficult”. With FireEye having to address users through channels, does he feel disengaged form the fray?
“Yes, it is hard to nail down the unpredictable – which is why we aim to keep the language of cyber-risk something that the [client’s] board understands. Cyber-risk is just another flavour of financial risk, and boards understand that. Getting people to think in those terms, rather than try to employ the world’s bests technical expert is the way to do it. Act as interpreter – crystallise the message so that the board understands it.”
And the channel? “I have to run it through the channel one stage removed. The touchstones with the channel are the same, though – use language the audience understands and don’t overcomplicate. Don’t keep embellishing the security story and giving more and more scary details!”
“At FireEye, we are keen to help organisations understand their security posture and therefore their risk exposure. From a product perspective it guards against the ubiquitous stuff and protects an organisation, but it is a blend – [the bad guys are] a highly motivated source trying to get what you have. They can be stopped only at a prohibitive cost.” So it is a judgement call, but it is possible to contain things.
Within the sales element of the conversation is both the capability of the product and risk reduction, but the risk management is a more people-focused conversation than a technology issue, he says.
He knows that the security products do not sell themselves: information risk needs to get up onto the boardroom, and that message about the security appliance is not going to do it.
“I’m not a salesman but a risk professional. For me the conversations it is about understanding the problem the customer has and that is a risk problem rather than an incident. Technology controls can mitigate risk, but are the not the answer to everything. We can go so far with tech, but organisations have to understand resilience, so when the inevitable does happen it can be contained and dealt with so the day to day work continues.”
“We can measure this to some extent. But it is a compromise assessment – [when doing an assessment on a client] you either find stuff and remediate or say it is ok. So it is a win-win either way.”
Mid-sized organisation in particular have a lot on their plates, he says – growing pains, not having all the backup infrastructures that an enterprise will have, but as they gain scale, they become targets and need enterprise scale solutions. “The language t the is twofold – shock and awe to get their attention and then demonstrating what it means in their own terms. Such as the work through partners which is designed to answer the mid-sized organisation challenge. The channel has links into those organisations and they give us the chance to scale across to that size of organisation.”
“On the threats themselves, there is nothing you can do about it, there is bad stuff out there, but this is how you mitigate it – though technology and the human side. [It is] Not an easy conversation. FireEye has been clearly involved in the enterprise solutinos and is now working down the scale and we are actively looking to see how small we can go. We will develop and evolve over time. Have good brand, especially in the US, but not as well-known as could be”
Information risk and cyber-risk is not as well understood as it should be but is just another process like financial risk. Cultural change, though, Is notoriously difficult to measure. Soft measures in this are as useful as any hard measures. Behavioural change is a good indicator – such as an uptick in report incidents. “Reducing the blame culture and putting it all into the bigger picture is a good start,” he advises.