It can be overwhelming attempting to defend an organisation against myriad cyber-threats that confront it on a daily basis. Knowing how to defend, or what to defend an organisation with, is just as overwhelming, said Michael Everall, an independent CISO and virtual CISO consultant.
Everall, who has been in senior cyber-security roles at FIS Global, VTB Capital, Lehman Brothers Estate (post bankruptcy), HSBC and Dresdner Kleinwort, was the keynote speaker at the SC Roundtable entitled, “The Threat Landscape”.
Held atop the Sky Garden in London, the Roundtable was sponsored by ZoneFox, a market leader in User Behaviour Analytics which provides visibility on how data is being used – and who's accessing it – to help protect information against the insider threat.
Mike Everall presenting SC Roundtable: The Threat Landscape
A good security posture has less to do with big numbers and impressive pieces of gear than it does with policy and process. These, said Everall, "will be reuseable time and time again". Good security policy can be recycled "so when the new thing comes along, we're not being driven by it, but driving it".
As an industry, said Everall, "we're pretty piss-poor at sharing information". That doesn't just go for sharing information within the sector, but within the company.
The company, employees and the board must be made to understand why certain websites or practices are restricted. To achieve this, engagement is key: "If you can't get that you have a problem." However, if security is inserted at the process level, it can be seen as a business enabler, not a burden.
Using fear, uncertainty and doubt – colloquially known as FUD – in expressing the need for security will not work either: "You can do that once or twice and then after that you will lose any credibility." These things need to be communicated in an understandable, calm manner, he said.
Above all, concluded Everall, security professionals need to get out of their reactive modes: "Are we driving or are we being driven by the bad actors out there?"
Max Dalziel, director of IHSMarkit
There is a culture at the top, added Warrington, where executives don't know what they're talking about and are afraid to ask. Unfortunately, he said, you can have all the policies and procedures that you want but in the end, "culture eats strategy for breakfast".Vince Warrington, a cyber-security consultant and director of Protective Intelligence, said that in his experience, "You find the board members all sit there and then none of them understand the risk."
The voluntary sector offers some lessons as to how to deal with security on a cultural level. The "old, logical ways don't work with everyone," but if you key into their emotions, you might be more successful. Charities have that because everyone is so committed to the cause.
Nic Miller, CISO of hedge fund Brevan Howard cited his own strategy. Miller tests the strength of staffs' passwords with a cracking program. If your password is easily cracked, he'll let you know that you have to change it. If it passes, you get to keep it for a year.
He said employees "don't care about that work password very much, and it's hard to make them care". Showing them how simple their credentials are to break might make employees think twice about not only their password at work, but wherever else they might have used the same password.
Luke Hebbes, risk and design manager for G-Research, is in an enviable situation. A tenth of the company are devoted to IT security and the board are completely on side when it comes to cyber-security.
But, he reminded the room, even this apparently ideal culture can have drawbacks: "If you're not careful you can go too far." If the risk appetite is too low, "then you end up with a low risk tolerance", which can make agile operation hard.
Delegates were in agreement that motivating the workforce is difficult, but there are ways to inspire the troops. "The biggest challenge for me is making awareness more personal and making it fun," said Lindsay Shure, head of information security at University College London.
Mark Evans, CIO of Rider Levett Bucknall
Mark Evans, CIO of Rider Levett Bucknall, a global construction company added that the way his company sold security was to make awareness a kind of "song and dance show".
Matt Little, CTO of ZoneFox and our sponsor for the day, proposed that putting such concerns under the heading of risk management might help executives see security in a new light. Tools like BitSight, which commodify security practices, might help you to win over the board, said Max Dalziel, director at IHS Markit: "When you can benchmark yourself against your peers and demonstrate how successful your strategy has been, you can turn it into a marketing tool."
Failing to get a company up to basic standards of security could soon have serious results for offending companies. The EU's incoming General Data Protection Regulation (GDPR) raises the prospect of fines on errant companies of up to four percent of global revenue. The fact that the UK will soon be leaving the European Union is irrelevant as the Information Commissioner's Office has confirmed it will expect companies to abide by the regulation even after Brexit.
Evans bemoaned 'the zombie security army', people who find themselves in positions of responsibility within IT security, charged with managing data compliance for instance, but lacking the qualifications for the job. Shure agreed that the regulation could be a threat "because there will be unqualified people overseeing it".
This becomes even more worrying when considering that under the GDPR, companies will be liable for the theft of their data from insecure suppliers or third parties, considerably expanding the attack surface but reducing overall control.
Nick Ioannou, a noted blogger and head of IT at architecture firm Ratcliffe Groves Partnership, remarked that though tickbox regulation is “good to have, it's not the gold stand”. When its comes to third parties, "bits of paper are not as important as the culture".