Protecting critical infrastructure from cyber-attacks requires adopting a shared responsibility model between vendors, network operators and governments, according to a panel speaking during a recent FT webinar.
The panel, moderated by Alex Irwin-Hunt, global markets editor of fDi Intelligence at FT Group, agreed that a range of parties has different responsibilities in ensuring the integrity of software and hardware products. The process begins with manufacturers “making sure that their product that’s released into the market is a quality one, and that includes reducing vulnerabilities as much as possible,” according to Dr Wendy Ng, cloud security architect lead at OneWeb.
However, this process can never be 100% effective, and vendors still have obligations to release patches for the product once it has gone to market. “Then it becomes a real partnership between the end-user and vendor,” observed Ng.
Colm Murphy, senior cybersecurity advisor, Huawei, reiterated the need for a shared responsibility model and emphasized the role played by service providers in keeping products secure. “They own and operate the networks, they manage the services, and they have to look after things like patching and security configurations.”
Additionally, governments have an important role in setting the standards and regulations for products and creating a regulatory arm to oversee and enforce these rules. Murphy also believes organizations need standards bodies to “tell us what good looks like.” This should be determined by consensus, involving all stakeholders in a given industry.
Ultimately, however, the people at the top of these organizations determine the strength of critical infrastructure security, according to Jane Frankland, CEO of KnewStart. “Unless there is understanding at the very top, with the CEO and board of executive directors, then you’re going to have a problem.” This awareness at the top needs to filter down to those in senior security positions, like CIOs and CISOs.
Going forward, the panelists said what is needed is a greater level of collaboration. For example, Ng outlined the benefits of different cyber vendors working and learning from one another. Frankland added that the next phase of the cybersecurity industry’s maturity is global cooperation. “I see that as being the next phase in our maturity because we are still very immature – we are still a new industry,” she pointed out.
"There are a lot more things connected now, and that gives more opportunities to bad actors to go about their work"
Such approaches are increasingly vital given the expanded attack surface. Murphy noted that particularly since the COVID-19 pandemic, businesses are becoming more reliant on the “functioning of technologies, and those systems are vastly more complex than they ever have been.” He added: “There are a lot more things connected now, and that gives more opportunities to bad actors to go about their work.”
Frankland added that the growth of cloud adoption has significantly increased the attack surface cyber-criminals can target. “Misconfigurations in the cloud is the number one risk, so it’s absolutely vital we look at the whole environment and reduce as many risks as possible.”
Amid this riskier threat landscape, it is critical that all staff in an organization, not just security teams, are well-versed in cybersecurity. Frankland believes we need to reach a stage where “we’re all becoming security practitioners in the organization.”
The discussion then moved on to strategies to address the cyber-skills gap, and in particular, attracting more women into the sector. Frankland noted that the industry has broadened in recent years, creating positions that are not as focused on tech as they were in the past. Therefore, “we need to market more” and recruit people from other industries such as lawyers, HR and teachers. “If we can train them and get them up to speed in terms of what we’re doing, it means we can actually increase our workforce very fast,” said Frankland.
Ng concurred, stating that greater gender diversity is essential to filling the skills gap, “otherwise you’re missing out on 50% of your population.”
The panellists also discussed the growing need for organizations to demonstrate their security capabilities and credentials, with internal and external stakeholders increasingly aware of cyber risks. Demonstrating this effectively and independently requires input from multiple parties, according to Murphy. For example, third party assurance involves accredited labs to conduct tests agreed and determined by standards bodies. Therefore, it comes back to “everybody working together in collaboration and cooperation,” he stated.