How systems thinking creates joined up security

It’s a shame that the term ‘systems thinking’ comes off as a bit dull, isn’t it? Because it’s quite a clever and succinct little expression that describes something humans have attempted to do for millennia – making sense of the world by looking at its parts and relationships, observing how things are interconnected and, most importantly, improving how things work. We often do it without even knowing that we’re doing it, but when it’s conscious and considered, it’s very powerful indeed.

Take, for example, Dinesh Dilip Panjwani’s world. He is our Vulnerability Lead in PSIRT (Canon EMEA’s Product Security Incident Response Team) and, as the name suggests, he plays a key role in making sure our products are secure. “Any problems are reported to us, and then we assess whether it is genuine. If it is, we then fix it, issue any patches or firmware and disclose information to our customers, along with CVE [Common Vulnerabilities and Exposures] publication”, he explains. On the face of it, Dinesh might appear to occupy a closed loop within Canon, working within a very specific area of the business on an entirely niche set of circumstances, but this couldn’t be farther from the truth. He and his colleagues are part of a much wider ecosystem, within a team dynamic that isn’t seen as often as it should be, but is much admired in the world of information security.

You see, frequently, the worlds of product and corporate security do not meet. There’s a view that one is externally facing (working with and supporting products purchased by customers), and the other is internally facing (ensuring that the systems an organisation uses to do its daily work are secure). But our approach, and the team within which Dinesh works, sees them as two sides of the same coin. In fact, and let’s bring the systems thinking back into play here, we believe that society at large would be safer if product security was always hand in hand with corporate security. Why? Because a weakness in either leaves an organisation – and its partners, suppliers and customers – vulnerable everywhere.

“Our CSIRT [Corporate Security Incident Response Team] function mitigates or resolves security issues related to the systems that we use to serve our customers,” explains Dinesh. “Like so many others, we are both vendor and customer – working towards the overall security of our company and, by extension, the security of a huge number of other companies too. Because of this, corporate and product security should share a common language. Our goals are one and the same.” This also means they can share resources, inform and support each other, and even create the feedback loops that are the hallmark of effective teams.

However, this explanation doesn’t quite do the role of this integrated security team justice. Especially when you’re looking at it from a wider systems thinking perspective. Dinesh and his colleagues are connected across the organisation in many ways that might not immediately spring to mind. In a business that is as close to customers as we are, there are many areas where security expertise isn’t just required – it’s essential.

This means that the team will be actively involved in tenders and contracts – from providing cybersecurity frameworks and assurances to being the expert voices on data privacy, regulatory, legal, and compliance. They play an important role in business development too, frequently attending customer visits, being a presence at our showrooms, and, in short, contributing to sales wins as well. Dinesh’s opposite number in CSIRT, Wouter van Gils, has close relationships with our subsidiary companies, supporting them through audits and in applications for certifications, such as ISO. Again, creating unity and continuity across Canon.

But there is also an incredibly strong emphasis on education. Indeed, it’s one of the key tenets of digital security at Canon. “We have Education Leads who are responsible for raising awareness of both product and application security,” explains Dinesh. This work stands equally among the responsibilities of the security team and is successfully creating a strong culture of digital safety across the whole EMEA organisation, which further strengthens our reputation for excellence and the value of connected thinking.

This certainly challenges any misconceptions of information security professionals as introverts who never step away from their computers. Dinesh and his colleagues are about as far away from the stereotype as it’s possible to be. They regularly attend industry events, and Dinesh is part of a valuable network of security researchers and ethical hackers – a generous community that shares knowledge and resources, again, contributing to digital safety across the board.

All this together proves an obvious point, but a significant one nonetheless; that it’s important to take that step back, to look at the big picture. Two teams operating in parallel would be straightforward, easy even. But would it be truly effective? The answer from our Senior Director of Information Security, Product Security and Global Response, Quentyn Taylor, is quite simply “No. Otherwise, we only see half of the picture – integrating in this way lets teams see the other side of the coin, granting better visibility for vulnerability management.”

So, where we are today is the result of some years of observation – to understand what works smoothly. And learn the places that don’t quite mesh as needed. It’s about building a team that considers the way the organisation works as a whole and how it can add the most value. This is why systems thinking is really smart and not dull at all – because it can result in the kind of thoughtful redesigns and surprising new ways of working that not only help Chief Information Security Officers to sleep soundly, but should bring us all peace of mind.

Find out more about careers at Canon.