Cyber security requires the collective efforts of big teams, according to Barrie Millett, member of the advisory board of the Cyber Rescue Alliance.
“Experience has taught me we cannot be effective in silos – we need to work together and use the big team approach,” the former head of resilience at E.ON UK told the (ISC)2 EMEA Congress 2016 in Dublin.
“And more importantly, you have got to test, test and test. Don’t try to wing it. You have to think the unthinkable and be imaginative in understanding the threats, how they could morph, and how to develop response plans,” he said.
Millett has spent the past eight years focusing on helping organisations, including those that form part of critical national infrastructure (CNI) to build resilient businesses that can respond effectively to potentially catastrophic issues.
He is now working with the Cyber Rescue Alliance to help CEOs around the world respond to what he describes as “inevitable” cyber breaches, build resilient organisations and teams, reduce the impact of incidents, and to understand what is really critical to their organisations and what they need to maintain to keep that business effective.
However, Millett said he continues to come across chief information security officers, chief technology officers, managing directors and chief executives who are shocked when law enforcement informs them their networks are communicating out to known bad actors.
“In many organisations, there is still poor understanding of what has been outsourced, what is critical, and how to get that information when it is needed,” said Millett.
How threats have evolved
Executives are even more surprised when they are told state-sponsored actors have been active on their networks for six months or more without being detected.
“That is how threats have evolved, and what we have to think about more in the future,” he said, adding that his biggest concern is that the methodologies used by state actors and cyber criminals for financial gain will be used by terror organisations to facilitate physical attacks, or will be the main attack method.
“We have to be imaginative about what can happen if we are to have any chance of success in defending against attacks,” said Millett. “Siloed thinking and incomplete planning will seriously limit an organisation’s resilience capability. It will increase costs and erode value.”
Millett encouraged organisations to tap into the information available about the threats they are likely to face.
“There are lots of very bright analysts out there, and lots of information being provided, but many organisations are not using it,” he said, citing former US defense secretary Leon Panetta, who warned against failing to acknowledge the existence of threats.
Millett said the cyber attack on Ukrainian power supplies in December 2015 was so important to the US government that it deployed a team to get an understanding of what had happened.
“Governments and society want and need assurance that we have control of this from a physical and cyber security standpoint,” he said. “We have to join together, build resilience and understand the dynamics of emerging threats.”
Big team approach
Millett urged information security professionals to take the big team approach by working with law enforcement. “We have got to speak their language, link into their command structures, educate them in our challenges, but also understand their challenges,” he said.
“Also, information security professionals have to engage with their operational teams. You can’t do it in isolation. All too often, I see business policies directed at business goals that look fantastic but cannot be operationalised because executives have failed to engage with operational teams.”
Millett gave an example of how he and his team were able to prevent 18 separate attacks by activists on fences at a power plant by gathering intelligence from social media and feeding it through to police and his operational teams.
“We succeeded because we understood the threats, we thought the unthinkable, and we worked together as one team,” he said.
Security truly is about people, said Millett. “But we do not use their capabilities enough. Security professionals’ engagement with people has to be different. We have to get into the organisation, feel their pain, understand what they are trying to achieve and how we can help them.”
Millett emphasised the importance of understanding what is critical and getting business leaders to understand the same, rather than taking a “scattergun approach” to cyber security.
“There is a lot of good practice out there, but you have to link your strategic plan and your strategic approach to your operational delivery,” he said. “Deliver an operational framework that is linked to teams and keep it simple, keep it fresh and test it.”
Millett called on information security professionals to work with business executives to improve their understanding of the risks and threats, and ensure they know what to do during and after cyber attacks.
The challenge cannot be addressed individually by institutions or government organisations because the interdependencies are simply too great, he said.
“We must connect our thinking, resources and activities. Physical and cyber worlds are interconnected. That is a reality, and has to be a good platform to share and learn from issues,” he said.
Millett called on his audience of information security professionals to join him in the quest to deliver resilience in a challenging world. “The price of failure is far too great,” he said.