Security teams must improve collaboration and enhance cyber resilience if they are to survive in an increasingly volatile world, one of the UK’s leading cybersecurity agencies has warned.
Speaking at Infosecurity Europe on June 2, National Cyber Security Centre (NCSC) director of operations, Paul Chichester, shared his vision of the threat landscape, and what organizations must do to manage risk at a time of tremendous change.
Despite having observed the “arc of cybersecurity” for over three decades, Chichester admitted “now is perhaps the first time I’m not sure ‘where next?’.” That’s down to a confluence of technological change, geopolitical uncertainty, and threat landscape evolution.
“It feels like there are a lot of dice and a lot of variables and we’re not predicting anything very well these days,” he admitted. “Professionally, things are harder than they’ve ever been.”
Chichester’s words came as new data released by ManageEngine revealed that 77% of British organizations suffered a cyber incident over the past year, 11% above the European average.
The Lay of the Threat Landscape
Chichester described several other areas of concern which infosecurity professionals will be familiar with, but need to address.
They included hyper connectivity – which he claimed was growing at such a rate that it’s increasingly difficult for defenders to track and manage across the entire IT estate.
Another is the pace of tech transformation, which Chichester said will drive huge “societal and civilizational changes” and create yet more “vast amounts of uncertainty.”
“It’s quite a lonely place to be as a technology and security professional because we’re trying to slow things down,” he added. “As technologists, that’s not what we want.”
Chichester warned of the growing use of cyber as a tool for “overt and covert statecraft” – ranging from the kind of hybrid warfare Russia is waging in Ukraine, to the transnational repression Beijing turns on certain parts of its diaspora.
Compounding these challenges is the fact that corporate IT is getting more complex, said Chichester. Codebases might have a lifespan of just weeks or months and apps rewrite themselves – with AI disrupting everything.
“How many people really understand their entire tech stack from apps down to the hardware?” he asked the audience. “That’s hard. That uncertainty is something we’ll have to try and manage.”
Fighting Back Together
Chichester also had some words of optimism for attendees. There is a growing acceptance in government of using offensive techniques to “confer costs on our adversaries,” he explained.
He also had warm words for the upcoming Cyber Security and Resilience Bill (CSRB). “We’re really pleased about where the bill is ending up,” he said. “We’re optimistic we’re setting some really powerful standards.”
However, public-private sector collaboration will be key going forward.
“Government can only do so much. It’s a collective endeavor,” said Chichester. “I really mean it this time. Now more than ever is the time to act. We have to work together.”
Time to Act, Says NCSC
Although threats are morphing and growing by the day, there remain some basic best practices that will help network defenders, he explained.
These include:
- Reducing the attack surface: “It’s hard to use a frontier AI model [as an adversary] if you can’t get to the platform,” said Chichester
- Addressing legacy systems and shadow IT: This is where frontier AI can help by “democratizing” high-performance pen testing and red teaming for all organizations
- Access controls: Including zero trust approaches and access management. “Identity is the root of everything going forward,” said Chichester
- Prepare for incidents before they occur: Incident response exercises are particularly important, and could “transform” an organization’s response posture, especially at board level, said Chichester
“Uncertainty can be massively disabling and make you wait for certainty,” Chichester concluded. “But now is the time to be acting. You need to get match fit. We will be living in a completely different world as defenders. Don’t wait for certainty, because it’s never coming."