Steve Purser, ENISA - A Cyber Hero by CaptainCyber
Who are you ?
So my name is Steve Purser. I'm head of operations for the European Network and Information Security Agency, which is now actually the EU Cyber Security Agency. Since our latest mandate.
What is the role of ENISA ?
The role of ENISA in general terms is to increase the level of security throughout Europe, both in the public sector and in the private sector. How does it do that? Not by doing the security itself, of course. We're only around 100 people. We work very closely, in part an area with member states, with private sector and with specialized groups. And our job is really to bring experts together in the right configurations to solve specific problems. An example of this would be we run probably the world's biggest cybersecurity exercise, where we bring all the member states together over a period of one to two days to cope with European level cyber attacks.
What is cybersecurity for you?
It covers many things. It covers securing products and tools. It covers securing informations and systems, but it also covers the people and process aspect. So essentially, cyber security covers everything you need in order to run your operations in a secure manner, either at a national level or the level of a large conglomerate or even at the level of an SME.
Is cybersecurity a real priority in Europe ?
Every member state has its own priorities. Some member states, like the bigger ones, are extremely mature. They have big cybersecurity agencies. They're able to cope with a lot smaller member states, have smaller teams. They have different problems. That's fine. Our job at ENISA, I think, is to be able to use the big to help the small and sometimes our own carriers to use this more, to help the big, because it's not necessarily that you're big, that you have all the cyber skills. The art for ENISA is to try and balance national prerogatives with European prerogatives.
The best way to make cybersecurity work?
All cyber cybersecurity is a mixture of three things: people, process and technology. And everyone sees the technology thing. You tend to forget the people in the process. But as I when I was a CISO, the biggest mistake I made was not giving sufficient emphasis to the people side and the culture side. You can write the best document in the world and it can be absolutely correct. But if you don't persuade the people to adopt it, you're lost. So I would say there are some general rules. You need good communication. You need to be able to get over to your audience. Why you were doing something, the importance of it. And you need to involve them.
I mean, what is awareness, right? I can be aware, but I'm not doing anything. So awareness should become participation. This is very key.
The processes are scalable. By investing in them, they're not likely to change as much as the devices themselves.
What gets you out of bed in the morning ?
Our target is to reach people like the national cyber security agencies to reach shore. Very big companies and associations, but not 500 million people. So we rely on this multiplier effect. I don't think it works as well as it could do. And it's one of our objectives.
But my hope, obviously, is that we can generate a level of conversation throughout the communities that will gradually permeate down right into people's households.