The Next Threat Landscape: What to Expect was the title of the latest CW500 security event, which brought together IT professionals and IT security experts to discuss the challenges facing organisations today.
Speakers from information security body (ISC)2, the UK’s new national computer emergency response team (CERT-UK) and Heathrow Airport Holdings presented their own observations and challenges to an audience of IT leaders.
Given the title of the event it is perhaps unsurprising that top talking points included the security risks brought by the industry hot topics of the Internet of Things, mobile and consumerisation. But, while CISOs must have detailed knowledge of the threats emanating from technology change, the ability to be a business enabler rather than just controller was also a key talking point.
First up was Adrian Davis, managing director EMEA at (ISC)2.
He began by outlining how CISOs need to think beyond the threats and look at their role as part of the business and consider the threat of opportunity. “I don’t want to just talk about threats,” he said: “Everyone talks about how the sky is going to fall in, ‘we won’t be able to have ecommerce, everyone will be hacked and it will all go horribly wrong’. But we may actually overcome a lot of these problems and the internet might provide another jump in capability.”
He described a common misconception in most organisations that believe everything fits together and works like clockwork, when in fact IT security teams are under great pressure from multiple sources in siloes to do different things and do things differently.
More from CW500 security club
- CW500 Security Club:Building a robust architecture
- CW 500 Security Club: Alan Jenkins, T-Systems
- CW 500 Security Club: Mark Brown, Ernst & Young
- CW 500 Security Club: Gareth Lindahl-Wise, BAT
- CW500 Security Club: Martin Jordan, KPMG
- CW500 Security Club: Matthew Lord, Steria
- CW500 Security Club: Dealing with attacks inside networks
- CW500 Security Club: Mike St John Green
“Organisations get pulled in all directions. This is internally through staff and externally through customers and regulators,” he said.
As a result, IT security departments in organisations are often just the controllers of what other parts of the business want to do. This means they are viewed as an obstacle rather than an enabler of business.
“We tend to focus on things we do which in security is control, but it does not work if the business thinks you want to control,” said Davis.
He said IT security departments should be closer to the risk teams within organisations. “We have a gap in organisations because people in IT and risk don’t talk.”
This is part of the reason why IT security is not viewed as an enabler when it should be. “At one side you have people looking at risk to the business and at the other side looking at risk to systems. But most businesses can’t work without IT so IT risk is enterprise risk,” added Davis.
The consumerisation of IT is heightening the pressure by the business on CISOs and their teams to change the way people work. But this should be where the CISO proves his or her worth by enabling the adoption of things like Bring Your Own Device in a secure manner.
BYOD is, according to Davis, a good example of the “relentless pressure from consumers to bring their digital world into your enterprise”.
Security can add value by being more focused on business
Adrian Davis, (ISC)2
But it goes way beyond devices with the workforce plugging into apps that IT has no control or understanding of.
He said these consumers live in a world of permanent beta because the apps they are using are not finished products. “They are beta and they never ever become a finished products.”
He said IT hates that because it wants standards but today’s workforce, including the CEO, expect the consumer level of speed with the apps they are using. They want to be able to click on a useful app and start using it, so CISOs have to work with this. “Consumers want an app and think it’s safe because it’s on something like the Apple Appstore. As a result they question what security they need – this is a big issue we have to overcome.”
“People use their own stuff whether you like it or not. Security can add value by being more focused on business. Stop worrying about the boxes that go ping and adopt the same mechanisms as other departments and create governance frameworks. This is powerful because when you have a governance framework you can start expressing what you are doing business terms.”
He warned that unless CISOs can prove to the business that they add value and not just protect it they will struggle to get the budget they want with marketing, HR and operations challenging for a limited budget.
Although the business enablement role of CISOs is vital, Davis finished off by warning CISOs to be prepared for an explosion in threats.
He said that with 500 million more mobile users expected to be created over the next five years, user threats will increase with the monitisation of cyber-generated crime following suit.
Enter Neil Cassidy, deputy director operations at CERT-UK. Cassidy has an inside view of the volume and nature of today’s cyber-threats.
Cassidy is currently involved in setting up the national UK computer emergency response team (CERT).
The internet of things scares the living daylights out of me
Neil Cassidy, CERT-UK
He said the volume of cyber-threats facing businesses today is frightening.
“It’s the scale of the thing I am scared of.” He described how 100 billion things, with some computing power, could be connected to internet by 2020. He said this is a huge worry from a network defence point of view.
“The internet of things scares the living daylights out of me because there are more things connected to the internet than people in the world,” said Cassidy.
He said while David Cameron announcement that the UK should invest more in developing the Internet of Things is welcome from a productivity perspective, it could have serious security repercussions.
He said used as a “force for good” the Internet of things is going to give us great productivity and will change how we live but because not everyone is good so this is what we have to prepare for. “We have already seen spam messages sent from fridges. It only takes one spam to be opened and they are in.”
He said the volume of computerised devices changes how systems need to be secured. “They say everything will be encrypted but encryption is just a mathematical algorithm and enough computing power and you will crack it.” He said there could be 100 billion devices trying to crack it.
Cassidy closed with some advice.
He said it is critical that CISOs understand where key information assets are and how to protect it.
He also said organisations, even competitors, should share information about attacks to help secure sectors. “It is not a competitive advantage for a competitor to get hacked.” He said, for example, people remember a bank being hacked not necessarily which bank.
Think about resilience and security in terms of the assets related to a customer outcome
Mark Jones, Heathrow Airport Holdings
He advised organisations to treat security as a business continuity issue and make sure they can recover quickly.
Then came Mark Jones, CISO at Heathrow Airport Holdings (previously BAA), to outline the views of someone looking after security at a critical part of the UK’s infrastructure.
He said IT security operation can become a business enabler, by tying service protection strategy closely to the end customer’s experience.
He described how IT security and business continuity are often kept separate despite the two things being intrinsically linked. For example if a system controlling baggage at a major airport went down as the result of a hack, business would stop. “If something like a baggage system goes down everyone knows about it. If it is down for 30 minutes it’s on the national news,” said Jones.
But he said a lot of CISOs do not have responsibility for business continuity and organisations often overlook the potential for security and business continuity departments to work together. “I have worked with some organisations in the past where there were overlaps between security and business continuity operations, in some cases they were investing in the same things but reporting to different departments”.
He said to address this organisations have drawn up plans to talk about customer outcomes rather than different departmental goals. “Think about resilience and security in terms of the assets related to a customer outcome.” This pooling of resources for a common goal, customer experience, got good buy in from organizations he has worked at, added Jones.
But aligning security with the business, although important, is not enough for a CISO today. Threats are multiplying at a rate that is frightening to those that have a first-hand view.
Jones said there are three important tools vital in helping you to manage the threats of the future.
Human beings like content to be intuitive in nature
Mark Jones, Heathrow Airport Holdings
He said IT must get a grip on identity and ensure there is no difference between what the business thinks a worker needs to do their job and what the reality in the IT infrastructure is. “As you start introducing network based services for example the cloud it is important that you have a concentrated and clear view over identity.”
Then he said CISOs must devise methods of educating people within the business about security. But he warned that education must be made simple. “Human beings don’t like impenetrable content – they like content to be intuitive in nature and prefer to get a quick reward for their attention investment.” He suggested invest in “reinventing the articulation of the behavioral side of security.” He recommended communicating graphically with iconography as part of security awareness training.
Jones said despite the fact that money has been wasted and projects have in some cases gone badly Security Information and Event Management (SIEM) is pivotal protection technology as cyber really takes hold. “SIEM provides a core capability in terms of lifting cyber situational awareness across an IT estate and is in my view an essential tool in the CISO armory in terms of detecting anomalous behavior”.
He closed by looking forward. He said it is not just about securing the cyber world and but about securing information and services in general. He said human behavior is a major part of the problem and said CISOs need to work hard to prevent careless disclosure. He added that protest movements are increasing the burden on CISOs because they are changing their activity and traditional protest and cyber activity coming together.
Then a discussion opened to the floor and the audience got its say.