This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

SC Congress London: Bottom-up security awareness has C-level benefits

Share this article:

A stellar panel of infosec experts told a packed audience at SC Congress London on Thursday that security awareness can play an integral role in educating C-suite on threats coming from inside and outside the company.

SC Congress London: Bottom-up security awareness has C-level benefits
SC Congress London: Bottom-up security awareness has C-level benefits

LONDON, UK - The panel, entitled “Inside, outside, upside-down: Staying ahead of the threat” comprised Brian Brackenborough, CISO of Channel 4, Frank Florentine, director of LilyCo, and Daniel Schatz, director of information security threat and vulnerability management at Thomson Reuters. It drew a heated debate, not least on insider threats.

Florentine said that insider threats, which have been in the public consciousness' since the first of Edward Snowden's revelations on the NSA and GCHQ last year, are front of mind for most businesses and he cited one example where a technical employee (at an unnamed organisation) siphoned £800,000 (US $1.35 million) of revenue in just eight months.

“Insider threats, I think, are actually one of the biggest problems,” said Florentine. “At the end of the day you have to trust somebody - but it's trust AND verify.”

Communicate with C-level

Security training awareness was also front of mind at the conference in Earl's Court, which is perhaps not surprising considering recent events. Gartner's IAM summit this week also saw analysts urge companies to trust employees, while a study from Trustwave revealed that 6 in 10 FTSE companies are mentioning cyber security in their annual reports – further proof of growing awareness.

However, this increased knowledge doesn't always translate to the board level, as a Thomson Reuters Governance study late last year indicated – revealing at the time that most boards lack security nous.

As such, Schatz – also of Thomson Reuters - said that IT departments should take board suggestions on information security risks with a pinch of salt. “Don't get totally stuck by what the executive team is saying in terms of threats.”

Brackenborough, CISO at Channel 4 and formerly of the BBC, said that companies shouldn't be too afraid to collaborate with competitors in the same field - with a specialist forum set up for cooperation in his own industry.

Saying that Channel 4 has often collaborated with other media companies on issues relating to, for example, on-demand services like ITV Player, BBC iPlayer and Demand 5 – which share the same technologies, he said that there's the benefit to “picking up the phone and having a working relationship.”

Media coverage can be beneficial

One member of the audience, a senior IT manager at the NHS, questioned the Channel 4 exec on whether the media is having a detrimental effect on security in the event of a data breach, with it also raising the likelihood of users leaking data to outside, unauthorised sources.

But Brackenborough, while acknowledging that this can sometimes be an issue, said that media coverage can actually get the C-level suite interested in protecting their personal devices, and then their workers too.

“The media publicising the issue is quite good; it suddenly hits home and the executive board know that it could happen to us. They ask ‘are we really at risk?' That's the point you can have that conversation and get executive support,” said Brackenborough.

Schatz agreed, adding that media coverage – as well as talking with employees – can “help improve the understanding of cyber security.”

But Brackenborough warned that this bottom-up security awareness training, while beneficial, can only work if the IT workers themselves understand the real business needs.

“The biggest thing for me is facilitating security as a business enabler – there's no point if I don't understand what they need,” he said.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.