Monster of the week - why the government struggles with cyber security messaging
Monster of the week - why the government struggles with cyber security messaging

In early 2012, with the Olympics looming, I was a civil servant trying to explain cyber security issues to more senior civil servants.

Physical security and the safety of the attendees and athletes was the highest priority, with cyber security not far behind. As our plans developed, I became aware of an interesting phenomenon – providing assurance on physical security measures in place, despite potentially dire consequences if they proved inadequate, was relatively straightforward. People understood the threats and consequences and were comfortable with measures taken to manage risk.

Providing similar levels of assurance on cyber security was far from easy, despite the relatively benign consequences (compared with a terrorist attack) of any likely incident. The people responsible for running the Games did not have the background or knowledge to assess the issues, or the experience to distinguish bogus risks from real ones.

When a minister asked a senior policeman for assurances on counter terrorism, they could speak a common language and assurance was given. When asked about cyber security neither had the knowledge to know if the question was reasonable in the first place.

Senior executives in industry are often in the same situation. Cyber security is big news - no longer relegated to the niche press, stories on hacking are commonplace in the mainstream media, and can be on the front page of national newspapers.

Understanding the significance of any one of these stories requires more than just understanding your business – today's executive needs to understand the technologies their organisation depends on, and have a sense of how to assess the risk faced.

This is a serious issue. PWC has called this the era of the ‘cyber savvy CEO' and write that the CEO "who truly understands the risks and opportunities of the cyber world" will be a defining characteristic of organisations that flourish.

A 2012 report by the World Economic Forum (WEF) and Deloitte noted that "hyper connectivity and the evolution in cyber attacks require CEOs to take ownership of cyber risk management".

It seems the high profile of cyber security issues is having little positive effect on actual security. Every day brings reports of another high profile breach. The UK government has identified a cyber security skills gap and the working level, but this extends up to the boardroom.

Without filling that gap there seems little chance of wholesale change in the security posture of the UK PLC, as those responsible for providing effective leadership are not equipped to understand the nature and scale of the problem.

The most well received paper I wrote recently was a short piece describing what a denial-of-service attack is and, as importantly, what it isn't. This was done on the back of my slow realisation that I couldn't explain cyber threats without also explaining something of the technologies that underpin them.

The paper meant that when the recipients heard about the latest Anonymous attack, they understood the implications and were able to make a judgement call about the significance. It also made them intelligent consumers of future reporting on the topic.

Subsequent papers built on this theme explaining core internet technologies and describing the operation of key protocols (such as DNS). Each paper highlighted the strengths and weaknesses in the technology it described and outlined possible attacks and impacts.

This took the first steps towards developing the common language that exists in the physical security world, enabling sensible discussion of cyber threats. It also allowed the informed reader to understand what media of reporting of cyber security issues meant to them.

I acknowledge this is a simplified example, and I won't pretend that a few papers will solve the cyber security challenges facing UK industry. I do think it demonstrates the value of education, and the value of spending time ensuring that there is common understanding of the issues at hand.

Understanding the technologies used by a business, and the principles of protecting information, helps a board come to reasoned conclusions about cyber risks. It also enables these issues to be considered alongside other business risks such as competing with foreign state backed rivals or off-shoring a manufacturing capability.

Government initiatives and media reporting mean that boardrooms no longer ignore cyber security. The new challenge for the cyber security sector is providing the occupants of the boardroom with the knowledge needed to make sensible decisions on dealing with the issues.

Senior executives need to recognise their gaps in knowledge and take time to learn. More fundamentally we are entering an era where knowing about technology and risk are becoming essential to running a business.

Rob Pritchard is the director of Abstract Blue Consulting