By Phil Mason
In the following post I will discuss ‘Progress against the Objectives of the National Cyber Security Strategy’, ‘Forward Plans’ and a few of my own predictions on what 2014 may hold for the world of cyber.
Progress Is a Nice Word
Rather encouragingly, much has been achieved by the government delivering the UK Cyber Security Strategy in the year just gone. Detail on exactly what has been achieved and how the pace of delivery is being maintained was provided in two Cabinet Office reports published shortly before the Christmas break. One report was on the progress made against their strategic cyber security objectives and the other detailed plans relating to those four objectives going forward. For those who are unaware, they are as follows:
- Making the UK one of the most secure places in the world to do business in cyberspace.
- Making the UK more resilient to cyber-attack and better able to protect its interests in cyberspace.
- Helping shape an open, vibrant and stable cyberspace that supports open societies.
- Building the UK’s cyber security knowledge, skills and capability.
It is my intention to comment on some of the more pertinent points relating to a cyber and, in particular, information security consultancies such as IRM – their people and clients – that can be taken away from these two documents.
Resilience
As much as the media love the (rather clichéd) story, hacking is no longer the pastime of teenage boys and underground ‘hacktivist’ groups looking for self-gratification or fleeting political one-upmanship. Crime gangs now have the capacity to mount incredibly sophisticated cyber-attacks on an industrial scale.
The amount of digital information UK’s organizations create – coupled with their increasing reliance on technology to simply ‘do business’, let alone protect intellectual property and confidential information – present those gangs with ample financial reward should they succeed in breaching systems. Therefore, it really is a case of ‘when’, not ‘if’ (sorry for rolling that one out again, but it’s true and nicely concise) and making the UK more resilient to cyber-attacks is paramount to ‘protecting our interests in cyberspace’ (last part of Objective Two – they’re all rather entwined).
The successful organizations of the Digital Age will unquestionably be effectively translating the importance of cybersecurity to the entire workforce. They will regularly rehearse and, consequently, alter their incident response plan, train their people to have a confident understanding of the subject, its effect on the business, and possess accurate threat intelligence and an expert cybersecurity incident response provider to augment their team.
The 10 exercises staged by the government to test cyber resilience and response in key sectors including finance, law enforcement, transport, food and water certainly resonates with regard to the work undertaken by IRM. So many of our clients find table top cyber incident response exercises invaluable to become aware of possible weaknesses and gaps in their planning.
Furthermore, the work undertaken to protect the nation’s critical national infrastructure (CNI) from an insider threat is illustrative of the organizational change necessary to achieve a practical and tailored security maturity. Risk assessments, clear cybersecurity governance and effective communication through mediums such as video, email, lectures, seminars, posters and training courses can all effectively help organizations detect and prevent incidents. However, I would argue these proactive measures have a positive impact on protecting against the insider and external threat.
Corporate Cyber
The public sector’s cyber awareness and skills are well documented in both the ‘progress’ and ‘forward plans’ reports. Public sector initiatives include the National Archives (TNA) delivering training to civil servants, an e-learning course ('Responsible for Information') available on the Civil Service Learning website, the College of Policing preparing to roll out cyber courses to train 5,000 police officers and the Public Sector Network (PSN) creation of a new security model for the sharing of services. £9.6 million out of £180 million has been spent on engagement with the private sector through the Department for Business, Innovation and Skills (BIS). Admittedly, a large proportion of the £86.6 million spent on ‘national sovereign capability to detect and defeat high end threats’, will have benefitted the private sector. However, if the UK is going to stay competitive, I would argue that more money and time needs to be dedicated to providing the private sector with incentives to spend more money on cybersecurity and work with government to protect our intellectual property, infrastructure and freedoms.
Encouragingly, there is the Cyber Security Information Sharing Partnership (CISP), a real-time cyber threat information exchange that now has 700 individual members and 250 member organizations (of which IRM is one) with a view to achieving 500 member firms by the end of 2014. The CISP platform is also going to be used by CERT-UK to deliver an expanded exercise program, building on work undertaken by the Bank of England, to ensure that critical sectors understand and are prepared for the potentially destructive consequences of a cyber-attack. Information sharing is crucial, and I must confess that during my time in the industry, I have always been impressed by the high levels of collaboration and communication among information security professionals within specific sectors.
What is also impressive about the CISP is that it seeks membership among small and medium-sized enterprises (SMEs), which arguably face the chance of going out of business due to the theft of their intellectual property – and consequently face a high level of risk based on the potential outcome of a breach.
However, I must still point out that the private sector is still in need of direct communication from government to define ‘cyber’ (many still view the term as a buzzword). They also need to emphasize the sector-specific incentives of understanding and protecting business-critical information (knowing what it is, where it is, how it is protected, who is trying to access and who is likely to) and support enterprise-wide change to achieve knowledge and awareness.
Some may argue that the ‘Executive Companion: 10 steps to Cyber Security’ guidance document for businesses made a good start to ensuring boards understand and take notice of, and understand how cybersecurity affects their business – and I would agree. In the past year, the UK government has worked with organizations including the Institute of Chartered Secretaries and Administrators, the Audit Committee Institute (Audit Chairs), the Association of General Counsel and Company Secretaries of the FTSE 100. This is an impressive start; however, from experience I would argue that for business boards to change their behavior, the message conveying the impact of cyber-attacks should be focused on the technological risk related questions facing their industry.
- Retail is an industry increasingly dependent on online brand loyalty and trust.
- The media industry must become cognizant of the risks introduced by new technologies for content delivery while protecting the entrepreneurial culture of their businesses.
- Telecommunications as an industry has to work to ensure their customer information does not fall into the wrong hands, as MISISDN (your telephone number) is now classified as Personal Identifiable Information.
- The legal industry must become cognizant of the highly sensitive case data relating to commercial disputes, such as Patent or other Intellectual Property infringement, which it is technologically processing.
You get the gist – every industry has different drivers for dedicating precious resource to cybersecurity.
Tech in Need of a Makeover
Examining the lack of women in the cybersecurity industry may strike as a little off topic in light of the focus of this post – more economic than sociological and political. However, I would argue that this is one of the highest and most steadfast barriers to ‘making the UK one of the most secure places in the world to do business in cyberspace’, and requires significantly more activity than the government can muster alone.
IRM was fortunate enough to provide a challenge for the Cyber Security Challenge UK’s first week-long Cyber Camp hosted at the Shivenham Defence Academy last year. It was telling that the results of the camp revealed the women to be streets ahead of their male counterparts on the challenges that looked for good communicators.
Warren Buffet once said that one of the reasons for his phenomenal success was that he was only competing with half of the population. I believe that a variant of these kind and wise words holds true for the cybersecurity industry. We are, for the most part, competing on a global stage with half our capacity and talent. I would argue that creating a new coding module for use within the Computer Clubs for Girls (detailed in the government’s progress document) is a good start, but needs to be built on considerably. Cybersecurity as an industry needs a makeover to challenge the widely held perception that it’s an unattractive career choice for women, and it needs to inspire an interest on their part. A government-backed cybersecurity recruitment campaign, if you will.
Despite the women doing extremely well at the Cyber Camp and displaying unique and valuable cyber skills, they were still vastly outnumbered by men. However, it’s not all doom and gloom, and I would rather not end on a bleak note! So for those interested in learning more about the encouraging advancements being made by women working in security, I recommend visiting the Women’s Security Society (WSS) website.
In Closing…
Cybersecurity needs to become a government-as-usual activity that understands the specific drivers and pain points of the private sector as well as those of the public sector. Both of the Cabinet Office’s documents are incredibly encouraging, and detail activity than spans a range of organizations, ages, job roles and mediums (I would very much like to be able to add gender to this list) – from HMRC providing advice to its customers every day via Twitter, to CESG’s Certified Professional (CCP) scheme, which sets a standard for the UK’s cybersecurity profession’s individual accreditation. The activity being so varied and strategic objectives being so entwined is marked progress. The objectives inform one another and are more likely to lead to government helping organizations understand their reliance on secure information, and the importance of responding efficiently and expediently to limit the impacts of a cyber-attack operationally as well as strategically. What I think is crucially missing thus far, for corporates, is empathy and understanding that goes further than sharing information and providing guidance, and offers incentives for behavioral change.
Phil Mason is Commercial Director for IRM plc