VanderWolf Images - stock.adobe.
The importance of making information security more accessible
Robin Smith, CSO of Aston Martin Lagonda, talks about how an accessible approach to cyber is helping him to keep the organisation secure
For organisations today, information is freedom. Those that are able to extract, harness and protect their data will find it far easier to meet their objectives in today’s customer-centric, information-driven landscape.
How companies can achieve that has changed massively over the past few years. Extracting and harnessing data remains as vital as ever, but the need to protect that data, and prioritise aspects such as data privacy, has become essential.
With data and security now so heavily tethered to business objectives and overall strategy, companies are increasingly looking for ways to enhance their information security posture to enable them to be more profitable and productive in a sustainable, low-risk way.
So, what are the key considerations? How can businesses make information security work for them?
Making information security more accessible
Information security isn’t just a technical issue, but a cultural one. Having technical talent in security is important, but a company that rests solely on this will end up with a fairly homogenised perspective on security.
It will be too focused on matter such as OSI (open systems interconnection) or the MITRE ATT&CK framework, for example, and while these elements are useful and important, pursuing them exclusively can lead to a fairly reductive and isolated take on security, when what you need is a fully integrated and holistic one.
It’s time for a bigger conversation in the industry about how we handle information security. It’s multi-dimensional and touches every aspect of a business, so it makes no sense to keep it siloed as an exclusively technical endeavour. By bringing non-technical and more diverse voices into the conversation, businesses can better align their information security processes with their overall objectives for growth and profit.
The more businesses can bridge the divide between security professionals and the rest of the organisation, the more robust and well-rounded their overall strategy will be. Security teams shouldn’t be compartmentalised and, equally, non-technical teams should also have a seat at the table.
From defensive to proactive
Aston Martin already had excellent security tooling when I joined the business, and thankfully we haven’t experienced any major attacks or cyber security incidents since. One of the things that has changed, however, is a gradual shift from defensive fortification toward innovation and collaboration, forging security partnerships both internally and with third parties.
Tight security partnerships aren’t just about gaining a technical upper hand, they’re about moving an organisation forward. Introducing new business-wide standards and policy frameworks can have a profound impact on an organisation’s overall security posture. While these may start out as technical missions, they quickly become cultural journeys.
Those journeys don’t just have one destination either. Mastering cyber security is like trying to hit a moving target; your organisation has to evolve with the changing threat landscape. Management needs to be focused not just on the here and now, but on what might be around the corner. Aston Martin, for instance, is modelling a threat intelligence management approach that addresses not just the current threat environment, but also the emerging one to ensure that it maintains its security position.
A common digital language
If mastering information security is like trying to hit a moving target, then in order to hit that target, organisations need to have the best technical and non-technical voices in the room at a given time.
Aston Martin focuses on what I call “digital literacy”, which involves non-technical staff learning enough of the technicalities to participate in the conversation, while our technical staff do their best to simplify technical processes. This meeting in the middle allows for some very interesting and productive conversations.
To outsource or not to outsource?
This is perhaps what could be referred to as a trick question, because the real answer is “both”. To keep up with the changing threat landscape, businesses need to be able to easily tap into knowledgeable and capable talent.
It’s important to nurture in-house talent and grow your own technical team. Enlisting third-party support through a partner such as SureCloud doesn’t change that, and bringing in third-party expertise can be one of the best ways to nurture in-house talent and acquire knowledge.
It’s no longer 1985, where businesses can expect to easily retain the best talent in the industry for their whole career – talent is now democratised and shared. And with the threat landscape moving at the speed of light, organisations should be willing to adapt to the talent market to shore up their security positions.
Levelling the playing field in the ‘new normal’
It’s very easy to get spooked by the threat landscape today. Throughout the course of the pandemic, we’ve seen incidents of ransomware soar to the point where businesses without a robust information security strategy are more or less sitting ducks. The nature of supply chain attacks means that they might be affected even if they’re not the target – nobody wants to be collateral damage.
In Marc Goodman’s book, Future Crimes, he talks in detail about the tenacity of malicious innovation – how threat actors always tend to be one step ahead when it comes to developing new ways of breaching cyber defences and infiltrating corporate networks. Closing this innovation gap should be a primary focus for the cyber security industry, particularly as we get settled into this new normal of agile working.
According to Goodman, 89% of employees are accessing work-related information on their mobile phones, and 41% are doing so without the permission or knowledge of their employer. That’s an example of how a change in the working landscape can automatically put cyber security professionals at a disadvantage.
If the message wasn’t already clear, we’ve got a lot of work to do, and that starts just as much at a cultural level as it does at a technical one.
Robin Smith is chief security officer at Aston Martin Lagonda.