lolloj - Fotolia
Former MI5 director Jonathan Evans is not pessimistic about cyber security in the long term.
The seriousness with which governments are treating the cyber threat and using all aspects of state power to address, augurs well, he told the Good Exchange Cyber Security Summit 2015 in London.
Cyber security is becoming a major international issue that is discussed at the highest levels of government, said Evans.
This means cyber security is well on its way to maturing into a recognised threat, he said, with established ways of managing.
Evans noted that there are “serious discussions” in the US around using sanctions against companies or individuals involved in cyber threats in the same way that has been successful in other international disputes.
“I am also relatively encouraged by the level of awareness of this issue, which just wasn’t there five years ago. There are now a lot of serious people focused on cyber security and there is a lot of investment, not only in resilience, but also by venture capitalists in cyber security startups.
“The amount of money, intellectual activity and resource going into this will have an impact and, as this matures, there will be a balancing out between the attackers and the defenders, but right now there is still a lot of work to be done,” he said.
Ask the right cyber security questions
Evans, who is now the cyber security governance lead on the board of directors for HSBC, said there are six key questions around cyber security that every company should be asking to get discussions going between the business and those responsible for technology.
First, what are your critical data holdings and processes?
“This is not a trivial question, especially if you are running a global company. It can be a very difficult question to answer, but unless you answer it, I don’t see how you can really have confidence in the approach you are taking in managing these risks,” he said.
Second, what is the threat to those assets? Third, what is the risk appetite?
“You need to work out what is actually a threat to you, and this will enable you to calibrate your risk appetite – unless you know what it is you are protecting, and unless you know what it is that you are protecting against, then you will have a major difficulty in getting the calibration right,” said Evans.
Fourth, who should fix it?
“The answer to this is not simply the chief information security officer because, in most companies, the CISO is not necessarily in a position to mandate particular behaviours across the company or influence the trading agenda,” said Evans.
Cyber security, he said, is something that needs to be thought about right across the business because it is multi-dimensional, and there are no silver bullets, no single bit of kit that can solve all the problems.
Fifth, is cyber security factored into future plans?
“Cyber security is an issue that needs to get factored into future planning. We think about all sorts of risks when we are thinking of future investment. We need to think how any business action changes our cyber security posture, the risks we are facing and what we are going to do about that,” he said.
Finally, what about your supply chain and partners?
“We need to recognise that we live in an ecosystem with other companies and we have all got to be strong enough and share the responsibility for countering the cyber threat, because many of the attacks are through supply chains. Unless we all do this collectively, across company boundaries, we are going to be in trouble,” he said.
Evans said that while these six questions will not find the answers for everything, they will ensure that the right conversations are taking place.