“One of the messages from President Obama’s recent cybersecurity summit was summarised by an American Banker as “We have to protect the trust of the consumer or its game over“. The latest PWC Global Economic Crime survey indicates that over half of all global CEOs are aware of the cyber problem – but more are concerned over bribery and corruption. They are right to be so concerned. Other studies show that over half of major incidents, whether fraud or “cyber” involve insiders – whether careless or malicious. And when it comes to malice the CPNI study of the Insider Theat shows that it is disproportionately men who are the risk.
Most CEOs are already only too well aware of the risks. They have no need for yet another patronising awareness campaign. But what should they actually do?
I have already blogged on part of the answer: select and retrain those you already trust rather than hire short stay compliance officers and security staff of unknown probity. Hence also my recurrent calls for inputs to my exercise with the Tech Partnership on the skills with which they need to be retrained. I am now coming to the end of that exercise and am due next week (inputs still welcome) to report on who should be trusted to help specify and deliver the training modules neeeded – particularly for those planning, developing, installing and running the organisations Identity and Access Management processes and technologies: the key point of vulnerability.
However, another message has come through at many of the meetings I have been attending. And it does not appear to be at all popular when I point it out.
Men are usually at the heart of the problem. Women are usually at the heart of the answer.
Yes there are some female hackers and fraudsters but almost all malicious leaks and attacks involve men, as do most of the accidental leakages and system failures. More-over the proportions are not explained simply by the proportion of men and women in roles where they can undermine or bypass systems, make mistakes or take unnecessary risks.
When it comes to non-malicious risk, the story of Bletchley Park is apposite. It was 80% female, including some of the top code breakers but we only know what was done there because some of the men craved public recognition.
We now have the “Turing industry” (from films to institutes). I commend the wikipaedia entry for a summary of the real achievements of Alan Turing (as opposed to the pastiche in the Imitation Game). Meanwhile we still know almost nothing of the contribution of his fiance, Joan Clarke who became deputy head of Hut 8 when he left for the United States and went into GCHQ after the war. We know nothing of the work of Rosalind Hudson, the other named female cryptographer in Hut 8, who died in 2013 having never spoken of her work at Bletchley, save that she is named than in the list of code breakers, as opposed to the approximately 150 support staff.
That female ability to maintain security while also fighting and winning a cyberwar can also be seen with regard to the team which broke the Abwehr enigma codes, thus enabling the Double Cross operations without which the “relatively bloodless” D-Day landings might have been impossible.
Mavis Batey was only 19 when she helped save a British Supply convoy and kill 3,000 of the Italian sailors involved in the failed ambush three days (three days!!!) after she had broken the Italian Enigma code, thanks to the carelessness of a male operator who had simply pressed the letter “L” to encrypt a test transmission. Meanwhile we know nothing of her colleague, Margaret Rock save for her letters to her brother and that she, like Joan Clarke, joined GCHQ after the war. We still know almost nothing about the other members of Dillys Fillies the (almost) all female cryptography team which assisted Bletchey’s top (better than Turing but died in 1943) codebreaker, Dilly Knox. We do know, however, why he recruited them: better lateral thinking, teamwork and temperament.
There is a message here. I wonder who will decypher it.”