This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

SC Congress London: Bottom-up security awareness has C-level benefits

Share this article:

A stellar panel of infosec experts told a packed audience at SC Congress London on Thursday that security awareness can play an integral role in educating C-suite on threats coming from inside and outside the company.

SC Congress London: Bottom-up security awareness has C-level benefits
SC Congress London: Bottom-up security awareness has C-level benefits

LONDON, UK - The panel, entitled “Inside, outside, upside-down: Staying ahead of the threat” comprised Brian Brackenborough, CISO of Channel 4, Frank Florentine, director of LilyCo, and Daniel Schatz, director of information security threat and vulnerability management at Thomson Reuters. It drew a heated debate, not least on insider threats.

Florentine said that insider threats, which have been in the public consciousness' since the first of Edward Snowden's revelations on the NSA and GCHQ last year, are front of mind for most businesses and he cited one example where a technical employee (at an unnamed organisation) siphoned £800,000 (US $1.35 million) of revenue in just eight months.

“Insider threats, I think, are actually one of the biggest problems,” said Florentine. “At the end of the day you have to trust somebody - but it's trust AND verify.”

Communicate with C-level

Security training awareness was also front of mind at the conference in Earl's Court, which is perhaps not surprising considering recent events. Gartner's IAM summit this week also saw analysts urge companies to trust employees, while a study from Trustwave revealed that 6 in 10 FTSE companies are mentioning cyber security in their annual reports – further proof of growing awareness.

However, this increased knowledge doesn't always translate to the board level, as a Thomson Reuters Governance study late last year indicated – revealing at the time that most boards lack security nous.

As such, Schatz – also of Thomson Reuters - said that IT departments should take board suggestions on information security risks with a pinch of salt. “Don't get totally stuck by what the executive team is saying in terms of threats.”

Brackenborough, CISO at Channel 4 and formerly of the BBC, said that companies shouldn't be too afraid to collaborate with competitors in the same field - with a specialist forum set up for cooperation in his own industry.

Saying that Channel 4 has often collaborated with other media companies on issues relating to, for example, on-demand services like ITV Player, BBC iPlayer and Demand 5 – which share the same technologies, he said that there's the benefit to “picking up the phone and having a working relationship.”

Media coverage can be beneficial

One member of the audience, a senior IT manager at the NHS, questioned the Channel 4 exec on whether the media is having a detrimental effect on security in the event of a data breach, with it also raising the likelihood of users leaking data to outside, unauthorised sources.

But Brackenborough, while acknowledging that this can sometimes be an issue, said that media coverage can actually get the C-level suite interested in protecting their personal devices, and then their workers too.

“The media publicising the issue is quite good; it suddenly hits home and the executive board know that it could happen to us. They ask ‘are we really at risk?' That's the point you can have that conversation and get executive support,” said Brackenborough.

Schatz agreed, adding that media coverage – as well as talking with employees – can “help improve the understanding of cyber security.”

But Brackenborough warned that this bottom-up security awareness training, while beneficial, can only work if the IT workers themselves understand the real business needs.

“The biggest thing for me is facilitating security as a business enabler – there's no point if I don't understand what they need,” he said.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

StubHub ticketing agency taken for a million pounds

StubHub ticketing agency taken for a million pounds

Police around the world have arrested seven people - thought to have tied into an international fraud ring - that allegedly defrauded the eBay-owned StubHub online ticketing service of around ...

DDoS attacks grow as first DIY kits emerge

DDoS attacks grow as first DIY kits emerge

The latest report from Akamai Technologies has revealed another increase in DDoS attacks and the resurgence of botnets to carry out server-based attacks.

WordPress plugin flaw opens blogs up to cybercriminals

WordPress plugin flaw opens blogs up to cybercriminals

A WordPress plugin called MailPoet - which has been downloaded around 1.7 million times - has placed large numbers of WordPress-based websites at risk of incursion.