Cybernetics - the science of studying communications and automatic control systems - has emerged as yet another innovative way for practitioners to translate security in context to business (see: Metrics Project May Help CISOs Measure Effectiveness Better).
The approach taken by Sam Lodhi, CISO at the Medicine and Health Products Regulatory Agency in the UK, uses biological cybernetics - or cybernetics applied to the biological context - to help explain the nuances and risk from information security to his business stakeholders, who are professionals in the healthcare and biological sciences fields.
Making a case for security investments can be tricky, he says, and the value of security means different things to different business stakeholders, depending on their perspective and their patience. While no one disputes that security is necessary, many stakeholders are ambivalent about the concepts and do not care for the technical minutiae with which practitioners tend to bombard management (see: Treat Security As a Business Problem First).
"Getting the right engagement from stakeholders is a big challenge for practitioners today," Lodhi says. "A cybernetics-based model can help get the attention security needs by speaking in terms and concepts that business can relate to, using structured, rational analogies from the business's own context, which helps stakeholders understand risk better."
Cybernetics as a science actually provides formal engineering language and diagrammatic approaches to systems analysis, which can be adapted to present information security risk much more credibly, Lodhi says (see: Security: How to Get Management Buy-In).
In this exclusive interview with Information Security Media Group (see player link below image), Lodhi explains how he uses cybernetics to formulate his model to communicate with management and some of the pros and cons of the approach. He also touches upon how this model can be emulated in other verticals. He speaks about:
Applying cybernetics in the information security context; Why the biological cybernetics-based model worked; Broader applicability across verticals.Lodhi is the director at Integrated Business Research Systems, a niche professional services firm specialising in technology, risk and business consulting. He has almost 20 years of experience in enabling security strategy, and has successfully influenced executive committees, sat on group boards to direct security and technology strategy and provided oversight has a non-executive director. He is currently serving as the information security transformation director (CISO) at MHRA - The Medicines and Healthcare Products Regulatory Agency, which is an executive agency of the Department of Health in the United Kingdom, responsible for ensuring medicine and medical devices safety.