This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

SC Congress London: Bottom-up security awareness has C-level benefits

Share this article:

A stellar panel of infosec experts told a packed audience at SC Congress London on Thursday that security awareness can play an integral role in educating C-suite on threats coming from inside and outside the company.

SC Congress London: Bottom-up security awareness has C-level benefits
SC Congress London: Bottom-up security awareness has C-level benefits

LONDON, UK - The panel, entitled “Inside, outside, upside-down: Staying ahead of the threat” comprised Brian Brackenborough, CISO of Channel 4, Frank Florentine, director of LilyCo, and Daniel Schatz, director of information security threat and vulnerability management at Thomson Reuters. It drew a heated debate, not least on insider threats.

Florentine said that insider threats, which have been in the public consciousness' since the first of Edward Snowden's revelations on the NSA and GCHQ last year, are front of mind for most businesses and he cited one example where a technical employee (at an unnamed organisation) siphoned £800,000 (US $1.35 million) of revenue in just eight months.

“Insider threats, I think, are actually one of the biggest problems,” said Florentine. “At the end of the day you have to trust somebody - but it's trust AND verify.”

Communicate with C-level

Security training awareness was also front of mind at the conference in Earl's Court, which is perhaps not surprising considering recent events. Gartner's IAM summit this week also saw analysts urge companies to trust employees, while a study from Trustwave revealed that 6 in 10 FTSE companies are mentioning cyber security in their annual reports – further proof of growing awareness.

However, this increased knowledge doesn't always translate to the board level, as a Thomson Reuters Governance study late last year indicated – revealing at the time that most boards lack security nous.

As such, Schatz – also of Thomson Reuters - said that IT departments should take board suggestions on information security risks with a pinch of salt. “Don't get totally stuck by what the executive team is saying in terms of threats.”

Brackenborough, CISO at Channel 4 and formerly of the BBC, said that companies shouldn't be too afraid to collaborate with competitors in the same field - with a specialist forum set up for cooperation in his own industry.

Saying that Channel 4 has often collaborated with other media companies on issues relating to, for example, on-demand services like ITV Player, BBC iPlayer and Demand 5 – which share the same technologies, he said that there's the benefit to “picking up the phone and having a working relationship.”

Media coverage can be beneficial

One member of the audience, a senior IT manager at the NHS, questioned the Channel 4 exec on whether the media is having a detrimental effect on security in the event of a data breach, with it also raising the likelihood of users leaking data to outside, unauthorised sources.

But Brackenborough, while acknowledging that this can sometimes be an issue, said that media coverage can actually get the C-level suite interested in protecting their personal devices, and then their workers too.

“The media publicising the issue is quite good; it suddenly hits home and the executive board know that it could happen to us. They ask ‘are we really at risk?' That's the point you can have that conversation and get executive support,” said Brackenborough.

Schatz agreed, adding that media coverage – as well as talking with employees – can “help improve the understanding of cyber security.”

But Brackenborough warned that this bottom-up security awareness training, while beneficial, can only work if the IT workers themselves understand the real business needs.

“The biggest thing for me is facilitating security as a business enabler – there's no point if I don't understand what they need,” he said.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...