In a keynote speech Kate Adie, former BBC chief news reporter addressed the InfoSecurity Europe 2019 audience on the topic of risk and resillience.
As most of her listeners are not likely to be personally going into war-zones, coping with physcial danger and fear, lessons on the kind of human resilience required might not seem particularly relevant for desk-bound cyber-security warriors.
But that's not to say there were no parallels. Whether it was revisiting witnessing the killing of some 10,000 unarmed demonstrators on Tiananmen square by the Chinese army 30 years ago and deciding when to get out, coping with fear when being caught in sniper fire in Beruit, or enduring the aftermath of an earthquake in Armenia, Adie's advice on how to keep functioning under extreme pressure was deceptively simple. Learn your job and know it inside out - using a checklist if necessary, so you can do it automatically without freezing, and keep learning, always, as things are always changing. Know yourself, and why you are doing what you are doing - and you can weigh your appetite for risk against that.
For the first part, it sounds pretty much like the cyber-security mantra of 'do the basics' - and have breach recovery plan. And as for needing to have a good answer for why you are doing what you do, its reasonable to assume people in this industry have a pretty solid response of protecting their organisation's data and systems - and in some cases, directly protecting society. In which case, we can, "go to bed knowing you have a good answer - which gives you the commitment and energy you need."
Another anology that could be transferred from the good journalist is the need to get to where the problem is, gather the facts, verify them, and transfmit them. When attribution is so difficult in online attacks, we also need the kind of threat intelligence that enables you to, "See for yourself, be an eyewittness, nail the facts, ask everyone. Find out what is going on from the people on the ground. And never take just one surce - get dozens - from people with different views and allegiancies to help verify." And transmitting them can be the turning of data into actionable intelligence passed on to the appropriate person who needs to act on it.
Clearly, in an age of 'fake news' it has become ultra important for the dwindling number of journalists to go to the source. And its equally vital for cyber-security defenders to evaluate their intelligence in terms of where it has been obtained from and how likely/possible it is that it could be subverted via a false-flag operation. While president Trump's current state visit was not mentioned, Adie did remind how state run news agencies around the world are not providing news, but propaganda, while demagogues are undermining the credibility of western news agencies with the 'fake news' label being put on anything they don't like. Hence the call to 'See for yourself, be an eyewittness' - and maybe stretching the analogy - this could apply to ensuring you know what your outsourced providers are doing, keep an eye on operations and verify.
Specifically relating to the threats to critical infrastructure, Adie noted how the more sophisticated we are the quicker we fall, citing the expample of Sarajevo, a city the size and sophistication of say Bristol, which saw its electricity and water cut off and go from the 21st century to 15th in three days.
So while her audience may not need tin hats and dodge bullets on their way to work, the vital role of protecting critical national infrastructure, avoiding power station shutdowns and the like, has equally dramatic implications if they fail. That knowledge, that they are indeed 'fighting the good fight' should inspire defenders to put in the hard work and long hours fighting what can, at times, seem like a fearful and overwhelming adversary.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout