As the Senior Vice President, Chief Security Officer / Chief Information Security Officer for Shaw Communications, James Armstrong is accountable for enterprise security for the Canadian telecommunications provider with over $5 billion in annual revenue, thousands of employees, and millions of customers across the country. This includes designing, maintaining and leading innovative cybersecurity strategies that efficiently and effectively fuse multiple teams into a synergistic intelligence driven capability.

Key areas of the team are all elements of cybersecurity and information security operations and architecture including: ISMS, investigations, ethical hacking, identity access management, privacy, regulatory compliance, business continuity management, government liaison, culture and training, and threat risk management.

Below is the conversation that we had with James Armstrong.

What are some of the challenges existing for the leaders looking to establish key cybersecurity programs at their organizations?

The most critical one that is the starting point for any program is senior management buy-in. If the top leaders do not prioritize cybersecurity then the trickle down support will never be there, such as awareness, empowerment, budget, and strategic prioritization.

“A CISO must be able to view their program from the eyes of the business partners they are enabling, be able to translate technical cybersecurity aspects into business aligned approaches.”

Another key aspect that is often overlooked is selecting a CISO and cybersecurity leadership team that possesses strong “soft skills” versus purely technical expertise. A CISO must be able to view their program from the eyes of the business partners they are enabling, be able to translate technical cybersecurity aspects into business aligned approaches, and be able to relate and engage with other business leaders and employees in the company.

Without soft skills, cybersecurity will be viewed as a technical roadblock without employee buy-in.

Organizations need protection and resiliency against the significant increase in the volume of attacks on their networks. Government and private organizations are gaining insights about vulnerabilities in their network infrastructure and taking necessary measures to ensure security. What are the new trends which this changing security scenario is bringing about?

Things like ransomware and malware will always be on the list of risks within the cybersecurity space.

However, I believe organizations are learning to focus on the bigger picture, strategic trends in cybersecurity versus purely the tactical ones like ransomware and malware.

This bigger picture view places more emphasis on intelligence driven risk mitigation by understanding how the adversaries operate so you can align your cybersecurity programs towards protecting the threats that directly create significant risk for your organization versus trying to stop every threat like a game of whack-a-mole.

Organizations are also realizing that cyberattacks are going to happen and their focus needs to also include strong Disaster Recovery and Business Continuity Planning instead of just focusing on defenses.

What would be your piece of advice for your fellow peers and leaders?

Cybersecurity has no finish line and there is expectation that we are always right.

This is a huge challenge with rapidly evolving threats, third party risks that we cannot control, shifting regulatory requirements and the depth and breadth of organization’s technical operations. It is important to have transparent conversations with senior leaders about these challenges so they can understand the support you need and have realistic expectations about how much risk can be managed.

This circles back to the sheer importance of soft skills as they enable these transparent conversations.