SC Congress London: Bottom-up security awareness has C-level benefits

News by Doug Drinkwater

A stellar panel of infosec experts told a packed audience at SC Congress London on Thursday that security awareness can play an integral role in educating C-suite on threats coming from inside and outside the company.

LONDON, UK - The panel, entitled “Inside, outside, upside-down: Staying ahead of the threat” comprised Brian Brackenborough, CISO of Channel 4, Frank Florentine, director of LilyCo, and Daniel Schatz, director of information security threat and vulnerability management at Thomson Reuters. It drew a heated debate, not least on insider threats.

Florentine said that insider threats, which have been in the public consciousness' since the first of Edward Snowden's revelations on the NSA and GCHQ last year, are front of mind for most businesses and he cited one example where a technical employee (at an unnamed organisation) siphoned £800,000 (US $1.35 million) of revenue in just eight months.

“Insider threats, I think, are actually one of the biggest problems,” said Florentine. “At the end of the day you have to trust somebody - but it's trust AND verify.”

Communicate with C-level

Security training awareness was also front of mind at the conference in Earl's Court, which is perhaps not surprising considering recent events. Gartner's IAM summit this week also saw analysts urge companies to trust employees, while a study from Trustwave revealed that 6 in 10 FTSE companies are mentioning cyber security in their annual reports – further proof of growing awareness.

However, this increased knowledge doesn't always translate to the board level, as a Thomson Reuters Governance study late last year indicated – revealing at the time that most boards lack security nous.

As such, Schatz – also of Thomson Reuters - said that IT departments should take board suggestions on information security risks with a pinch of salt. “Don't get totally stuck by what the executive team is saying in terms of threats.”

Brackenborough, CISO at Channel 4 and formerly of the BBC, said that companies shouldn't be too afraid to collaborate with competitors in the same field - with a specialist forum set up for cooperation in his own industry.

Saying that Channel 4 has often collaborated with other media companies on issues relating to, for example, on-demand services like ITV Player, BBC iPlayer and Demand 5 – which share the same technologies, he said that there's the benefit to “picking up the phone and having a working relationship.”

Media coverage can be beneficial

One member of the audience, a senior IT manager at the NHS, questioned the Channel 4 exec on whether the media is having a detrimental effect on security in the event of a data breach, with it also raising the likelihood of users leaking data to outside, unauthorised sources.

But Brackenborough, while acknowledging that this can sometimes be an issue, said that media coverage can actually get the C-level suite interested in protecting their personal devices, and then their workers too.

“The media publicising the issue is quite good; it suddenly hits home and the executive board know that it could happen to us. They ask ‘are we really at risk?' That's the point you can have that conversation and get executive support,” said Brackenborough.

Schatz agreed, adding that media coverage – as well as talking with employees – can “help improve the understanding of cyber security.”

But Brackenborough warned that this bottom-up security awareness training, while beneficial, can only work if the IT workers themselves understand the real business needs.

“The biggest thing for me is facilitating security as a business enabler – there's no point if I don't understand what they need,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews