During CyberSecurity Connect in Monte Carlo last week, I will admit, when first looking at some of the keynotes and workshops, I agreed with a CISO attendee who said to me that the prominence of vendor speakers had initially made his heart sink a little.
But then came the reality that not only were there some great practitioner speakers too, but the vendors had put forward subject experts who took great pains to avoid selling, and genuinely shared sector expertise on a peer to peer level - as had been intended. The end result was that, like the CISO I’d spoken to, I was won over to the partnership approach, and spoke to other CISOs who agreed that it had been a good opportunity to get a better understanding of the technology and tools on offer without being sold to.
With more than 200 CISOs and other senior players in attendance, networking was another prime objective for many attendees. The ever-ebullient Martin Smith, chairman and founder of SASIG, no doubt picked up on the proximity of the casino and doubled down on his usual mantra of 'make five friends', and upped the quota to '10 new friends'.
So in a series of articles, SC’s 'new friends', will provide a variety of perspectives and insights on the issues facing the industry or their organisation, and what they believe we should be doing or are doing to counter them, with some common themes of tacking the shift to human focussed threats, and the need for more, better trained people to tackle them.
First up is Mark Walmsey, CISO at Freshfields, a global law firm with 27 offices around the world, whose most difficult issue was how to achieve a global approach to behaviours given it has a big workforce with different cultures and approaches to what's acceptable behaviour online. Because while respect for different cultures is important - clients will say 'this is how you work wherever you are,' and there is an expectation of a minimum standard. Clients are strict about how the supply chain works, and on occasion the company can be overruled by client contractual obligations. Of course it’s possible to write exceptions, and people move offices and countries and could bring their different behaviours and be wrong.
Walmsey described his organisation's main threats as traditional phishing threats, plus the inherent vulnerabilities occurring during transition as the organisation implements digital transformation, such as adoption of Office 365. This also impacted behavioural risk as new ways of working are introduced, in some cases requiring getting HR involved. Examples cited included people taking data, copying and sending it outside the network; going to websites that would ordinarily be blocked because they are known to be malicious, as well as people circumventing security controls in relation to things like password re-use, length and longevity.
Priorities included reducing the amount of technology by reducing duplication, ensuring that products used were those which work for the function intended, and that they are supported properly. Outsourcing of commoditised services was underway for anything that was a repeatable process that could be done by someone else. And in order to give individuals the freedoms they want it had been necessary to invest in good governance with user behaviour analytics. It was also important to ensure transparency - to see everything happening on the network, good or bad, to meet contractual obligations with clients. Finally came changing the approach of security and IT to work together to deliver change as a partnership (not adversaries) in a combined effort.
Going forward, concerns incuded the fact that people are increasingly mobile, not at their desk, but accessing the network using a variety of devices. "Its not just IOT, but anything mobile is going to be an issue for us," commented Walmsey, adding that while his organisation was not currently targetted by nation states, he would expect the industry to see more cyber-warfare conducted by the Chinese, Russians, in Ukraine as well as the US and UK. Supply chain risks were also forecast to grow exponentially as vulnerabilities go through the roof. Regarding how to tackle third party risk, Walmsey suggested that, while contract terms were an imporant factor, key was the need to understand the maturity of the supplier. "We will see more people attacking the suply chain. As companies say who they supply. hackers will know who to target. (at the top end) they are sophisticated and driven with one ambiiton and almost impossible to prevent," he added.
When it comes to regulations, such as GDPR, Walmsey suggested it was useful for the industry as providing a base level for security - and was good because it is formalised. But in the legal industry both the client base and the regulations to which they are subject made many of the aspects a requirement anyway. He concluded, "Regulation is good as long as its written by people who understand what the threat vector looks like."
Given many legal firms are relatively small in comparison to the value of the IP they hold - for mergers and acquisitions, or the legal affairs of major high net worth individuals, SC asked how do they cope with security with limited teams. Walmsey suggested that if you have a significant security requirement but don't have the budget for a big team, you still have to invest in the staff aspect. Given that good behaviour reduces threats - with 98 percent of breaches prevented by users knowing the risk and taking appropriate measures - so investing in user awareness and training, with smaller organisations needing to invest heavily in individuals and make them accountable and reward good behaviour. And you should provide added protection for your key assets.
Walmsey also suggested that the security profession needs to take control of developing the talent pipeline, saying, "We all have a responsibility to recruit through skills development schemes, offering apprenticeships. We took five students straight out of university and set them up as a tactical team, working across all areas. By investing in them, we were getting brilliant service after six months. People think they don’t have the time to invest, they think they want seasoned professionals, but investing in youngsters or people transitioning (from other roles/professions), they can learn on the job so learn to do it right. Now we have got the talent to inject into different areas."