Philip Ingram MBE hears from leading cybersecurity experts on the topics of cyber culture and education.
It seems all we hear about is cyber this and cyber that, with sprinklings of edge security, network inoculation, endpoint vulnerabilities and zero-day exploits. However, is that what cyber is all about? Terms that many don’t really understand unless immersed in the technical side of the problem seem to abound, why is it always an IT issue and when does it all just become security?
Looking at current thinking, Philip Ingram MBE sits down with Ian Thornton-Trump the Chief Information Security Officer (CISO) with the cyber threat intelligence company, Cyjax and Mike Gillespie and Ellie Hurst from the leading independent information and physical security consultancy, Advent IM.
Facing the challenges
“The greatest challenges for businesses in the cyber environment at the moment are a data breach followed by a ransomware event, making life miserable for a huge number of organisations as is their often-failing attempts at data recovery,” says Ian Thornton-Trump.
Ellie Hurst expands on this saying: “Supply chain and third-party vulnerabilities are leading to security breaches and ransomware attacks on a much larger scale than we have seen before. Lack of governance around some of these relationships makes it easier for criminals to capitalise on any security gaps. Assurance and audit are hard in complex environments, we understand that but so much outsourcing without proper risk assessment has led us to a place where we can be attacked or disabled and then extorted with relative ease when proper supplier security assurance is absent.”
So, the question therefore is how to deal with this? Ian Thornton-Trump suggests: “Organisations need to really spend time and effort in developing threat models to drive decision making when it comes to security controls. Most are struggling to identify their external attack surface but feel that technology, not analytical work, is the answer.”
Ellie Hurst’s view brings a different dimension to this thinking: “Getting culture and training right is critical, as is simply acquainting themselves with all their information assets, this would be a good place to start. How can you start planning the protection of information assets when you do not know where they reside and their value? Making sure that the business objectives come first, so security isn’t seen as a blocker and let the policies and procedures fall out of those objectives, is the right approach, cybersecurity’s role is to enable those objectives securely.”
Ian Thornton Trump agrees: “A security program that is aligned to prevention is doomed. The focus needs to be detection, containment and recovery. This is a mission which requires a lot more resources and capabilities than many companies have and so far, many have failed to make the appropriate investment in.”
He goes on to expand on the importance of culture, a word that has crept up in almost every one of the cybersecurity conferences at a number of different events in recent months: “I think a culture of security is vitally important but must be combined with security leadership. Without that vital cybersecurity leadership in place the number of staff and contractors who have not understood the meaning and intent of the security program will be far too high.
“A culture of security should be combined with openness, honesty and embracing security events as learning opportunities otherwise you may descend into a culture of security paranoia which may be even worse than no culture of security at all,” he continued.
He then emphasised: “A security program that is aligned to prevention is doomed. The focus needs to be detection, containment and recovery.”
Focus on education
Looking that those resources, Mike Gillespie believes education is critical: “Taking the Wikipedia explanation of education, ‘the process of facilitating learning, or the acquisition of knowledge, skills, values, morals, beliefs and habits,’ which sums it up well, most security training uses negative language by telling users not to do this, not to click on phishing emails, not to go to malicious websites and more ‘nots’ but that isn’t education.”
He goes on to say: “This is further compounded by negative rule-based policies which squash innovation and prevent users from applying discretion, professional judgement and common sense. In some cases, organisations even discipline their staff for doing the right thing because it is against their policy, (a cultural issue). We need to use more positive language to engage with users instead of viewing them as the enemy, we need to demonstrate what good looks like and then catch them doing it right to reinforce positive behaviour. For security to be an enabler, we need to enable users,” he concluded.
Expanding on the importance of culture, Ellie Hurst said: “It is at the top of the list. Peter Drucker once said, ‘Culture eats strategy for breakfast’ and I have to agree. No plan survives first contact with the enemy so making sure your people know how to behave is vital. The business’ end of this agreement is they will provide the tools, training, education and environment to enable this to happen and leadership should be showing by example; demonstrating what good culture looks like. A fish rots from the head down.”
She concludes by saying: “How can you start planning the protection of information assets when you do not know where they reside and their value? Make sure that the business objectives come first so security isn’t seen as a blocker and let the policies and procedures fall out of those objectives, cybersecurity’s role is to enable those objectives securely.”
Their comments echo those of several panel discussions at different events where the two consistent phrases that came out with every cyber discussion were culture and education. So, if you are looking for a tech only solution to a cyber problem, the collective opinion is you are not spending wisely. Save your investment and look at culture and education first.
This article was originally published in the October 2021 edition of International Security Journal. Pick up your FREE digital edition here