It's often said that everyone will be hacked – it's not a question of if but when – and in many cases, organisations are hacked and no one is ever the wiser.
Wise heads have turned from simply trying to secure the perimeter to working out ways of securing the data wherever it may be. But how do we do that?
That was the topic of Friday's SC Roundtable, “Mitigate breach damage with an advanced threat security posture”, sponsored by Microsoft.
Our guests for the morning's event, held at the Beaumont Hotel in London, engaged in a lively and informative discussion, led by the moderator Tony Morbin, editor in chief of SCMagazineUK.com and our guest speaker, Tony Collings OBE, executive chairman of the ECA Group.
Collings began his talk by remarking that the words we use to discussion information security can be difficult to define. Data breach, for instance, can mean many things to many people – he defined it as an unwanted compromise of an information system that leads to the loss of proprietary data.
Other buzzwords such as cyber and digital are more difficult to define, at least in a way that everyone can agree upon.
The other question he wanted to address from the start – which at first might appear to be a bit flippant but is in reality a serious question – is whether it was possible to prevent network security breaches altogether? His answer was no, as long as the owners of information systems want to be able to connect to the internet and other wide-area networks.
Having addressed these ontological questions that underlie the practice of information security, he moved on to the higher level questions of responsibility and accountability.
“In this game there are absolutely no known absolutes so someone needs to have a proper security assessment and a posture, to sit down and work out how you are going to deal with this,” he said. “There are two linked and inseparable things: one is the threat assessment and then there is the posture of the threat. Get it recognised by the board, make sure there is a board member who is actually accountable – not responsible, everyone has responsible in their job description – but show me someone who has the word accountable in there somewhere.”
He advised the audience to develop the plan and then get it approved by what, in the military, they call SQEPs, suitably qualified and experienced personnel, that is people who have lived the problem themselves and perhaps notched up a few failures – otherwise known as learning experiences – along the way.
Most of all, ensure that your plan is based on realistic assessments including the likelihood of specific events happening and the impact they will have on your business.
This introduction prompted Tony Morbin to ask, how then do we prioritise risks and identify what and where our assets are?
Peter Drissell, director of aviation security at the Civil Aviation Authority (CAA), replied that it started with identifying the risk appetite of the organisation, a value judgement decided by the board of directors. This, he said, was based on the knowledge and experience of the board.
“From my experience, the level of knowledge [of information security] on the board is still a concern, so my question for colleagues is, how they have approached that, rather than just having a board that are briefed with scare stories – are you just trying to frighten us to get more money? – to something which the board buy into on a business case basis. And how do you know when you have an accountable member on the board that they are accountable from a position of knowledge, they understand their accountability to the level that they need to discharge that full responsibility?” Drissell said.
Mike Everall, chief risk officer and head of information security at Fidelity Information Systems, drew a distinction between IT security managers and chief information security officers (CISOs) and said that too many organisations have the former but not the latter and therefore lack someone who is able to articulate the security message for the board of directors.
To illustrate how things might be starting to change, he cited one organisation that is in the process of recruiting a CISO, specifying that they must be able to speak to the board about risk without resorting to talking about “blinking lights or the use of the FUD club which is fear, uncertainty and doubt”.
The ideal CISO in today's environment would be comfortable articulating risk to the board as well as to human resources, legal, finance and so on, tailoring the message to each in terms that would make sense within the context of their business area.
Beverley Allen, group risk manager at Photobox, said a major part of her role in a young organisation is to help develop a better understanding of risk, whether that's from the technology or people side or even basic operational activities. It's important to identify all of the risks that face an organisation so that the directors can have a sensible conversation, she said.
Stephen Murgatroyd, director of operations, Institute of Operational Risk wondered what impact a detailed understanding of risk would have on the business model of a young organisation. “The board is going to look at some of this stuff and say, we are not in the business of doing this,” he said. “The resources and costs that have to be devoted to achieve the goal would probably put us out of business.”
Hiten Vadukul, enterprise architect at Virgin Active, said his organisation is working hard to move its operations into the cloud. The challenge for all businesses, he said, is to understand what they have in terms of capabilities. “We are trying to uncover what our network infrastructure is like, what state our applications are in. We are trying to classify what we have and grasp, what is the lifecycle of this system? What that helps us do is generate two viewpoints: the technical viewpoint – what is the server infrastructure behind our operations and, if it's this we need to do that, as well as the business viewpoint so the business people can go away and have sensible conversations about their processes.”
Colin Brown, solutions architect at Microsoft, interjected at this point that the old concept of ‘defence in depth' is not enough to protect your network anymore. “You have to assume that a breach has happened, and therefore we need better detection and more effective breach response,” he said. He cited a customer (name withheld from publication) who was relieved to be able to cite Microsoft confirming that everyone gets breached, and was able to move breach discussion from one of failure to one of resilience.
Murgatroyd said a greater degree of internal surveillance was required and suggested that it called for a new understanding with staff in which they understand the need for organisations to monitor their activity. “Monitoring can be uncomfortable but if you are going to get your staff on your side, you have to be upfront with them about why you are doing it,” he said, adding that this has been achieved already in financial services.
Others suggested that better staff training was required, above and beyond the obligatory half-hour Powerpoint presentation once a year. Paul Watts, CISO at Network Rail, said, “We found the corporate messaging wasn't landing so we changed the message to personal risk. It started to resonate. We gave them lots of personal advice and gave them security advocates. It turns out they wanted to learn but they don't want to be preached to.”
The ground was laid for discussions and although the organisation is heavily unionised, when it came time for the actual negotiations, it went quite smoothly, Watts said.
Tony Collings said organisations should be entirely open about reporting and analysing breaches, pointing to the aviation industry's success with their policy of publicly reporting every near miss incident – it's published anonymously and there's no blame but the incident gets dissected so everyone can learn from it, he said.
This prompted Mike Everall to say that most of the issues in information security are not about technology. He said he tried to convince the HR department that having a criminal background check on employees when they joined – and never following it up – was inadequate. He secured funds for a pilot to check existing staff and they discovered people who had county court judgements, debts and other problems which necessitated moving these people out of sensitive finance jobs.
“Now we have a process that everyone in the organisation gets a criminal record check every five years,” he said. “HR says it was their idea! It took information security to raise it as an issue.”
Jim McCoy, technical lead for security tools and operations at Facebook, said security boils down to making it clear to all staff that it is everyone's problem and responsibility, noticing, “Hey, I can walk in to the building without badging in – you need to allow people to report that with there being any consequences for them,” he said. It was an issue of creating a security culture - often initiated by the CISO articulating the risks to the board, who promote appropriate policies throughout the organisation.
Ray Evans, information security officer for the legal team at Save the Children, said that most organisations don't even know what a security culture is let alone whether their organisation has one. He said everyone should look at using the CPNI's security culture survey tool, SeCuRE 3, which he said enables organisations to identify and shape this culture.
Technology is evolving faster than the ability of organisations to adapt their cultures, so by the time they have embedded one culture it's been superseded by a new technological paradigm. Angus Foreman, CTO at Microsoft Services, said this was particularly interesting to watch as organisations made the transition to outsourced data storage and processing. “How do you take a set of on premise controls and put that into the cloud?” he said. “It's an interesting development.”
Sarb Sembhi, CISO at the Noord Group, said that with the explosion in computing power and the sheer numbers of devices that people have, we will be bombarded from many angles with security issues, so the idea of using what we have learned from safety will be key.
Meeting of minds
Rob Saunders, lead platform and security architect at Colt Technologies, said that it was clear to him that many of the people looking at technology risk and business risk are not relating the two to each other. “At the top they are amalgamated so it's difficult to separate them for analysis,” he said. “How do we compare this risk compared to all the other risks that we run lower down the organisation?”
He added: “There is an animated discussion to be had about making risk personal.”
Andrew Cortis, director of the Perimeter Group, said that operational resilience as a topic for business is here to stay. “And it will be Darwinian – either you will innovate and develop good security hygiene or we will see what happens to your business.”
This led Deborah Moir, head of UK security consultancy at BT, to observe that many of the people who were best placed to identify the technological risks to an organisation won't speak out “because they don't want to get the blame. Many of them clam up.” She too supported the way breach discussion is moving from talking about failures to ensuring resilience.
Jane Frankland, advisory board member at ClubCISO and author of a soon-to-be published book on gender diversity in cyber-security, pointed out that one of the problems of the industry is the shortage of younger people. “Most people are over 40,” she observed. “We all came into this industry in our 20s – what has happened?”
She suggested that in attempting to professionalise the industry, barriers to entry had been created that are discouraging younger people from joining. It's important to remember that information security is about communication as much as it's about technology, she said.
• If you would like to take part in any SC events, please contact us at firstname.lastname@example.org.