Cyber security comes down to culture, say Dutch security experts

IT security can no longer be seen as just a technical matter. People, education and management matter too, but culture is the overarching and binding element, says security executive at Dutch bank

IT is pervasive and for modern life seemingly inescapable. But on closer inspection, IT is quite young and even immature. Right now, the argument can be made that IT is a teen. It thinks it knows it all, blindly accepts that the world revolves around it, but it’s actually inexperienced, obstinate and not really talkative or sharing. And yet it’s unavoidable.

The adolescent angle is an assessment that Kelvin Rorive, delivery manager and security IT threat manager at Rabobank, agrees with. The Dutch bank is sharing its security insights for the greater good. Not just for the bank and its customers, or even just for the banking world.

This sharing of security information requires a change in culture, however, not just for IT professionals but also for managers, boards, governments and even societies.

Rorive told Computer Weekly – and, via other means, the world – about the security approach Rabobank is taking. In addition to software solutions, scanning tools, a security operations centre, emergency response teams and other standard measures, it also giving guest lectures to students, evangelising openness about hacks, and sharing security information.

Sharing does not necessarily mean revealing things in public, said Rorive. Sharing can, and sometimes should, mean sharing only in certain circles, with specific parties. “Banks basically have the same customers,” said the Rabobank security manager.

The interests of these competitors overlap. The same can be said for larger groups of organisations, like in certain industries, but also nationalised organisations or nations.

The Netherlands prides itself on the existence and workings of the government body National Cyber Security Centre (NCSC). This Dutch public-private cooperation is the central information hub and expertise centre for cyber security in the Netherlands. The aim is to help increase the digital resilience of the country, and thereby to facilitate a safe, open and stable information society.

Read more about cyber security

Rorive pointed to the NCSC as an example of where the Netherlands is ahead, in comparison to other countries: “It gives us a lot of speed. And speed is of utmost importance.” He refers to the speed with which organisations can respond to – and even anticipate – security threats. “Take for example WannaCry: that was world news in just four hours.”

Rorive spoke to Computer Weekly shortly after the outbreak of this ransomware worm and weeks before the follow-up of Petya/NotPetya. Such worldwide malware attacks were initially perceived as another case of rampant ransomware. Speed in discovery and analysis helped in taking effective countermeasures and erecting a successful defence.

Rorive is a proponent of more automation in the handling of security matters. He said the human factor needs to be involved, but automation can help weed out the chaff. “Some matters can then be escalated to humans. But even then you’re not achieving a 100% [success rate],” he said.

“After all, security is not a goal that can be attained and then checked off. Rather, it’s a matter of posture and culture. It sounds philosophical, but security is a journey.”

“It is hard for your board to realise that security is a never-ending journey with temporary stops but no final destination,” said Jaya Baloo, chief information security officer (CISO) at Dutch telco KPN. She heads up security operations at the Dutch company, which is part of the nation’s vital infrastructure. Baloo was hired after KPN was thoroughly breached in 2012, by a 17-year-old Dutch hacker.

Like Rabobank’s Rorive, she advocates sharing of security information to achieve better security for all. And also like Rorive, she is one of the authors in the Benelux edition of the book Navigating the digital age. This security-oriented book series is the other means by which experts such as Rorive and Baloo are telling the world about their security approaches and security culture.

Medical and military practice

Among their shared wisdom are learnings from field medics and military defence companies. One example is the medical practice of triage: quickly assessing which wounds are most life threatening and hence need to be treated right away. This helps in a time and resource-constrained environment, such as a field hospital in a war zone – but can also be applied to cyber security.

Another learning is the killchain approach in defence, gleaned from the American defence company Lockheed Martin. This military concept dissects the elements that form an attack to identify the chain (or chains) that when taken out can break the whole attack. The killchain has been turned into a framework for cyber security to help defend against growing numbers of complex threats. This approach is however not without its detractors.

The law says how you should handle breach notifications, but that is not sufficient. To obey the law should be the minimum requirement
René Bonvanie, Palo Alto Networks

More is to be found in Navigating the digital age, which is published and offered freely (in physical and ebook form) by security supplier Palo Alto Networks. This book series is consciously not a supplier vision, not a product pitch and nor is it just technology talk. “It’s not about technology. It’s about policy,” said René Bonvanie, chief marketing officer at Palo Alto Networks.

The Dutchman and Silicon Valley veteran has surprisingly outspoken opinions regarding information and communication technology, products and the industry, claiming “technology without policy is nothing more than just technology”. This may sound like mere linguistic logic, but is meant and said in a derisive way.

The why of security

“What we want to protect is less important than why we want to protect it,” said Bonvanie. He argued that there might be best practices, rules, regulations and even laws about how to deal with security matters, but there were more important matters. “The law says how you should handle breach notifications, but that is not sufficient. To obey the law should be the minimum requirement.”

What, then, is more important? The intent of rules and law – the actual goal of those strictures and obligations. Namely: safety and security. “Is your customer satisfied, is society satisfied?” said Bonvanie. This may seem a bit highbrow or even pompous, coming from a security supplier, or from any commercial entity. But it is high time for change – time for a new culture to help cyber security.

Read more on Information technology (IT) in Benelux