arrow - Fotolia

CESG issues challenge to information security professionals

CESG technical director Jonathan Lawrence tells The Cyber Security Summit that information security professionals need to deliver security controls that help business users achieve their goals securely

CESG, the information security arm of UK intelligence agency GCHQ, has challenged information security professionals to deliver security controls that make sense.

“The aim of security professionals has to be understanding what people in the business are trying to achieve and helping them to achieve those goals securely,” Jonathan Lawrence, technical director of CESG, told attendees of The Cyber Security Summit in London.

All too often, Lawrence said he sees examples of organisations having so many security controls that it is impossible for people to do their jobs using official systems and devices.

“They are forced to find workarounds just to get their jobs done, which means that while the organisation is extremely secure on paper, the reality is very different, with people in the organisation resorting to using their personal online accounts and devices to get their work done,” said Lawrence.

CESG, he said, believes the approach to security should be risk-based, where organisations identify the real risks and put in the minimum security controls to mitigate those real risks.

“Just because you can set a password on something doesn’t mean you should. It is better to mitigate only the risks identified through proper risk assessment,” said Lawrence.

This approach, he said, would mean that users would not be hampered by unnecessary security controls and security professionals should be able to justify each and every security control they put in place.

“Otherwise, security controls that are implemented just for the sake of it can backfire and result in unexpected, and even perverse, outcomes,” said Lawrence.

A better approach, he said, is for information security professionals to engage with people in the business, find out what they are trying to achieve, and find ways to help them to do so securely.

It also means not blaming users for security failings, but instead finding ways to ensure they are not faced with making security decisions by implementing systems to filter out malicious links, patch software vulnerabilities and block malware effectively.

“There is value in training people to identify and respond to things like CEO fraud, but you can’t put in blanket rules like “don’t click on links” because that is impractical in a business environment,” said Lawrence.

Read more about user access control

  • In this buyer’s guide to access control, Computer Weekly looks at why identity and access management is taking centre stage in business access policies.
  • In this Security Think Tank series, experts discuss how to fix common access control mistakes.
  • Mandatory access control and application sandboxing both offer layers of security by controlling access to system resources. We look at how they differ.

Similarly, it means implementing sensible policies for things like passwords and supporting users by deploying password managers or using single sign-on certificates.

“The average UK citizen has around 22 passwords, and in regulated sectors that is even higher, but remembering that number of passwords is impossible, so it is better to implement systems that take away that burden from users,” said Lawrence.

“Information security professionals have to move away from saying ‘no’ and being risk-averse to the point that it becomes ridiculous to finding ways of securing business processes that are effective, yet make sense in the real world,” he said.

Read more on IT management skills