This week:

3 – Where to look if you need to ask intelligent questions about cyber security.

2 – Admit it: Your CISO is really an ISM.

1 – iPhone security. For sober people.


3 – Questions any board member can ask about cyber security.

“Organisations have a responsibility to take action to manage their own cyber risk but stronger frameworks of accountability and good governance are needed at board level to make this a priority [..] business resilience and cyber security as intrinsically linked. By neglecting basic cyber security principles and not understanding cyber in the broader context of business resilience, many senior leaders are failing to take responsible action to mitigate threats to business operations.”

This is according to the UK’s Department for Science, Innovation and Technology, which recently released its draft Cyber Security Governance Code of Conduct (which was mentioned recently in PDP’s Data Protection News newsletter). The objective is to “bring together the critical governance areas that directors need to take ownership of in one place, in a form that is simple to engage with, for organisations of all sizes [and] formalise [the UK] government’s expectations of directors for governing cyber risk as they would with any other material or principal business risk.”

So what? If you need to understand the effectiveness of your organisation’s cyber security risk management and need to figure out some intelligent questions that you could ask, Annex A (“The Code of Practice”) of the document provides a plain English baseline.

(PS If you need someone to help you with this, including section [E] (“Assurance and oversight”), you know who to call. In case you don’t get the hint, I’m talking about me!)


2 – Admit it: Your CISO is really just an ISM.

“CISOs [Chief Information Security Officers] are increasingly being asked to assume the responsibilities of what would normally be considered a C-suite role, but without being regarded or treated as such at many organizations”

This is according to a report on Dark Reading (and recently shared by Secure The Village), which discusses the results of a survey of 663 security executives. “There is a growing expectation [from regulators] that the CISO will primarily serve as a business risk-management function, with a clear voice at executive leadership meetings and a direct line of communication with the CEO and C-suite. [And yet,] the CISO role is frequently not part of the senior leadership team.”

So what? The CISO role should be seen as a second line / risk management role. If your CISO reports to a first line executive, or even worse, works for the outsourced third party that performs your IT operations, there is an obvious conflict of interest and there will always be a question mark over their independence. After all, ‘your’ CISO is being asked to check the homework of their colleagues and their boss. They ain’t a CISO – At best, they’re an ISM (Information Security Manager). ISM is an important role, but let’s not pretend it is the CISO role.

(PS If you think there’s nothing wrong with how things are done today, then why did 75% of respondents say they were looking to for a new job?)

(PPS If you need independent assurance and oversight, but don’t have access to anyone who can do this for you, I can help.)


1 – iPhones get Stolen Device Protection. Useful for sober people.

The latest version of iOS (version 17.3) now includes “Stolen Device Protection”, which can help protect your accounts and personal information in case your iPhone is stolen. New features include “Security Delay”, which stops criminals from immediately disabling some of your phone’s most important security settings.

Our phones have so much valuable information on them and they provide access to a lot of very valuable accounts. So, we face a range of significant risks if our phone is stolen, especially if the criminal knows the screen’s PIN code. This interview on The Wall Street Journal shows how it happens and the impact on victims. “Security Delay” will slow the process down.. by 1 hour. Apparently, this gives the victim enough time to (a) realise their phone has been stolen and (b) log into iCloud from another device and lock / wipe the device before the criminals can change their PIN and iCloud password.

So what? This is a useful security upgrade, so you should install it and enable it as soon as possible. However, I’m not so sure 1 hour is long enough, especially if this happens on a night-out. Especially when you are “out out”! To reduce the impact of a stolen device, I provided some pragmatic recommendations in this December 2022 article: ‘Your phone is your wallet’.

(PS There are other hidden functions within an iPhone’s settings that will reduce the impact if a criminal gets their hands on your iPhone and knows your PIN code. For example, you can block changes to your PIN code or Face ID / Touch ID settings until a different PIN code is entered. I discuss all of this in my ‘Secure Foundation’ course on