Half main boards now have cybersecurity on their agenda: but most have no strategy

During the past fortnight I have attended the launch of the ICAEW Audit Insights report on Cyber Security , two Cyber Security Challenge networking events, the launch of the “Tomorrow’s City” and “Financing Tomorrow’s City” programme, an INCA summit on ubiquitous broadband , a presentation on the Cyber Security Skills programmes that e-Skills will be launching over the next month or so and a presentation by Tempest on the skills needed to organise intelligence led responses to the threats faced by large organisations.     

All the meetings were “off the record” and I do not intend to breach confidence – but a common thread was that the pace of change is accelerating. It has left behind the “solutions” peddled by most commentators. It is, therefore, not suprising that main boards are getting pissed off with those who preach awareness instead of suggesting realistic action plans to address the threats they know they face today, let alone those they fear tomorrow .

Perhaps the most interesting feature of the ICAEW report was that the UK’s six largest audit practices have come together and compared notes. Two year ago cyber security was not on the agenda of any main board. This year over half their major clients have discussed it at least once. Much of the credit for that change must go to the publicity for the Government’s Ten Steps . But these were only a start point.

The four key points in the ICAEW report were:

  • Businesses should consider cyber in all their activities
  • Businesses need to accept that their security will be comprised
  • Businesses should focus on their critical information assets
  • Most Businesses do not get the basics right

My “quibble” with the ICAEW report is that their definition of “basics” focusses on the technology. The collapse of corporate loyalty (as a result of outsourcing) combined with annual turnover rates of over 30% among those with the skills in most demand (including information security) means that neglect of the basics with regard to people management and motivation is at least as dangerous.

The CEO of Tempest has agreed to do me a guest blog on the key points in his presentation but one of the most interesting was that neither the direction of the threat analysis, nor the communication of the results can be sensibly outsourced. The reason is that both depend on an understanding of the business, including its culture as well as its priorities and business models. This was particularly important given the way that groups of attackers target particular business sectors in different ways: thus those attacking media organisations are usually seeking to identify the sources used and compromise the integrity of news feeds rather than commit fraud, steal IPR or disrupt the printing presses. Much of the technical work of monitoring and responding to attacks, collating intelligence and “asset recovery” can, however, be outsourced.

This led me to wonder why it is that so few organisations have a vigorous “asset recovery” strategy. We often hear that it is “too difficult” but I have now heard of three large organisations which routinely use a mix of civil and criminal law to identify and bankrupt not only those who were defrauding them but the suppliers of the tools they use. It has been a win win strategy. They may not have been able to identify more than a fraction of the attackers or their accomplices but the volume and sophistication of the attacks on them has fallen dramatically: word got round the chat rooms and their attackers decided to focus on their less robust competitors instead.

Perhaps the most important message that I have picked up over the past fortnight is, however, that the main cyber security audit practices and consultancies are planning to double, treble or even quadruple the size of their forensics and investigation teams. This is happening at the same as government is trying to do the same. Meanwhile UK and European regulators are planning to increase the compliance overheads that dishearten and distract those working for user staff, so that the latter will be more likely to leave for higher pay and more interesting work – lower risk and more probablity of reward.

The current staff merry-go-round is therefore likely to accelerate sharply next Spring.

This will in turn present major opportunities for the technically competant but “bent” to infiltrate your organisation. One of the other groups of professionals that will also come under strain is therefore those who organise vetting and monitoring services. Co-operation will be essential and initiatives like the new CREST service for accrediting incident responses services are most timely.   

Those who do not allocate budgets now, in order to help extend and use the various training and apprenticeship programmes being planned by e-Skills and City and Guilds so as to use these to help reskill and retain the staff they already have, let alone draw in good quality recruits, will be in big trouble by next summer.

Therefore the first action point in the main board cyber security strategy should be the allocation of responsibility and budgets for identifying, vetting, training, monitoring and retaining the skills they need, including those which they must have in-house and those they can afford to contract out.

How big should those budgets be?

That will depend on the value of the assets to be protected to the organisation and to those attacking it – hence the importance of an intelligence led strategy.