Picture: PC Pro Issue 366
Don’t be daunted by the rapidly changing face of the security landscape – learn from those who climbed the southwest face of Everest instead
On an icy night in November 2018, I picked my way slowly around the snaking roads of north Wales through a flurry of snow. I was heading to the Moel Siabod café to meet friends – and listen to two of the greatest mountaineers describe the first ascent of the southwest face of Mount Everest.
Fifty years ago, as part of a British expedition led by Chris Bonington, Doug Scott and his climbing partner Dougal Haston became the first climbers to reach the summit via this new route. It was a remarkable achievement; it was an ambitious and challenging climb largely due to its technical difficulty and exposure to severe weather conditions. That evening, Doug Scott and Paul “Tut” Braithwaite, Britain’s most prolific alpinist, shared with the audience what it took to scale what the Nepalese call Sagarmatha, the forehead of the sky.
You might well wonder why you are reading about climbing exploits in PC Pro. Bear with me, I have a point. Just before the world shut down in March 2020 to control the transmission of the then deadly coronavirus, I sat in Dublin and listened to the UK’s first CEO of the National Cyber Security Centre, Ciaran Martin, deliver a presentation to a rapt audience of information security and fraud prevention experts.
Martin made the point that many businesses operated across a number of sectors that required detailed understanding of engineering (chemical, civil, electrical), programming, biomedical matters and so on, but whose leadership had not yet grappled with the fundamentals of information security. He wasn’t wrong. The point was clear. Leaders could process complex information, but wouldn’t engage in information security matters.
Grappling with complexity
Scaling Everest is a significant milestone in the history of human achievement. For most of us, unless you’re a professional soldier, nothing we do at work will ever be as difficult or as dangerous as scaling a 29,000-foot mountain in sub-zero temperatures. For all the talk of cyber-war and sophisticated nation state actors, information security isn’t more difficult than scaling the world’s highest mountain. Securing information is, or should be, manageable. So why are so many business leaders failing to take the small but necessary steps to protect their interests?
If we consider Martin’s point about leadership grappling with tough subjects and how a team successfully summited Mount Everest half a century ago, we should be able to offer insights into succeeding in tough conditions. If not, then at the very least it should provide some perspective.
Because whatever decision infosec leaders and business leaders make at work, everyone gets to go home at night. Everyone. So yes, infosec is critical for businesses and yes it may be stressful at times, but it doesn’t carry the same life-and-death stakes. No-one is losing their life over infosec decisions and no-one should be losing their head. In the words of the World War II motivational poster that now finds itself on tee shirts and tea towels: keep calm and carry on.
The story of the successful ascent of Everest is fundamentally about the importance of teamwork and team dynamics, careful preparation, effective risk management, continuous monitoring and responding to incidents. It exemplifies the importance of setting and achieving long-term goals through discipline and collaboration.
It’s true to say that the cyber-threat landscape and legislative landscapes are shifting. But this is true of everything. New viruses develop and the world responds. Legislators are continuously drafting new rules. And the business world responds.
But in the context of infosec, the changes aren’t occurring so dramatically that it’s impossible to put people, tools or processes in place to address the changes. Many British businesses that look to the EU as a destination for their goods or services will need to comply with the new rules under the NIS2 directive.
Businesses that fall within the scope of NIS2 must tackle the critical issue of leadership. The new obligations require that management approve and oversee cybersecurity risk management measures. To approve and oversee, leaders must understand cybersecurity risk management measures. That means that where leaders have failed to grapple with the fundamentals of information security, they must undertake training – or, to put it another way, the gap Martin highlighted in his 2020 presentation.
Leadership and teamwork
The importance of leadership cannot be overstated. In Doug Scott’s words, Chris Bonington had “honed the art of large expedition planning to perfection”. While Bonington was a skilled and accomplished climber, his leadership skills were a key to success. Bonington nurtured skilled climbers, supported group harmony and effectively managed the complexities of high-altitude expeditions.
As part of the team, Tut Braithwaite alongside Nick Estcourt climbed the sheer obstacle at 8,200 metres known as the Rock Band, a feat that has been claimed to be the hardest extreme altitude technical climbing ever undertaken. As they climbed, they put measures in place, setting up fixed ropes that the rest of the team would rely on to make their ascent.
Bonington as the leader didn’t go with this part of the team, stand over them or bark orders at them to fix ropes here and there. Nor did he interfere with Braithwaite and Estcourt. As the leader, Bonington selected those on his team for their ability, then he gave them the tools, gear and support as well as the autonomy so that they could simply get on with the job. Leadership is not a synonym for micromanagement.
It is essential that business leaders select individuals with the appropriate and relevant skills and ability. Once this selection is made, it’s prudent for the leadership to grant their team the room to manoeuvre independently.
Changes to the legislative landscape mean that businesses can no longer simply rely on input from information security personnel. Getting it right will require team effort. Have a leader with deep technical ability, yes, but make sure that you have access to someone that understands the legal context for these new infosec obligations.
Take the matter of SolarWinds. Criminals compromised SolarWinds’ software and embedded malicious code. The successful civil litigation that followed didn’t turn on a technical matter. Instead, it was the representations that SolarWinds had implemented best practice that were contained in corporate documents that provided the claimants in the case with their strongest argument.
Stay in your lane
No-one is saying that the information security professionals should also understand all the rules about corporate communications, corporate law and governance. That’s why you have people who do understand those factors on your team, or you have access to those experts. Either way, when you have advice from those individuals it behoves the leadership to take their direction on the matters that fall within their areas of expertise.
Years ago I had a great boss; let’s call him Dave (since that was his name). Dave was fond of saying you need the right person in the right position. In other words, you don’t want your best logistics guy establishing the rope work or your best alpinist on strategy. Know what you do and do what you know. And get on with your job.
Alternatively, there’s always the option to go the SolarWinds route. Management blithely ignored their expert who forewarned them of the foreseeable problems that lay ahead. Failing to take reasonable care led directly to civil litigation and a $26 million payout for the claimants. Beyond the possibility of civil litigation, the financial penalties under NIS2 range from €7 million or 2.4% of global annual turnover to €10 million or 4%, whichever is higher. Pick your position and take care, or ignore the warnings and best of British luck with that.
The five Ps
Proper planning prevents poor performance. Careful preparation to manage the risks is key for two reasons. A clearly articulated strategy and plan should be in place so the team as well as the wider business understand what should happen and when. It helps to provide a framework for operating and for understanding when essential milestones have been met.
Scheduling these steps provides much needed transparency, helps to identify delays in advance and allows for prompt corrective actions. Furthermore, having a plan ensures resources are allocated efficiently, minimising waste and maximising productivity.
Bonington’s meticulous planning meant that the equipment and much of the food needed for the expedition left London months before the initiative would begin. Any gaps in essential supplies could be remediated by providing a long run-in time. There’s simply no substitute for preparation.
Moreover, Bonington wasn’t afraid to use new technology. He relied on a computer to plan his expedition, while others were still committed to pen and paper. This willingness to embrace the tools he needed to get the job done undoubtedly helped with managing the huge number of details required to keep the project on track. It also meant that Bonington and his deputy were able to provide the essential visibility to the financial backers that their resources were being put to good use. You’re not scaling Everest, but do what works for you, your team and your business.
Peak performance
The story of this remarkable ascent is not just about the physical achievement but also about the critical role that leadership, teamwork, technology and equipment play in such endeavours. It emphasises how advancements in gear and meticulous planning contribute significantly to success in extreme conditions. In other words, people, tools and processes. The point at which innovation, technology and human perseverance intersect can create extraordinary outcomes.
If half a century ago a team of men could carve out a new route on the highest mountain in the world, then today’s businesses can put the right people, tools and processes in place to manage the changing infosec and compliance landscape.
Article by: Dr Rois Ni Thuama
First printed: PC Pro Magazine, Issue 366, Dated 1st March 2025, Pages 116-117, ISSN 1466-3821, issue available from https://www.pressreader.com/magazines/m/pc-pro/20250301, Subscribe to PC Pro Magazine: https://www.magazinesdirect.com/uk/pc-pro-subscription/dp/8ce631dc
Reproduced here with kind permission from PC Pro Magazine.