It’s incredible to consider how quickly technology advances in the modern age. When you sit back and think about where we were even ten years ago, the situation was dramatically different. That, and the risk landscape was significantly smaller. The unfortunate downside of technological advancement is the breadth and fragmentation of IT infrastructure that’s coming with it and the cyber criminals who evolve alongside. Back then, we spent all of our time trying to get information security onto the board agenda, now it seems we spend most of our time trying to prevent it being on the board agenda. This makes my job as a Director of Information Security pretty interesting, but also a weighty challenge.
Whenever someone asks me, “what keeps you up at night”, my answer is always, “have we done enough?”. We know we can’t prevent all cyber incursions, but have we done enough so that if a successful attack occurs, we can counter it and then return back to normal business operation as quickly as possible?
The threat landscape is changing rapidly, for good and for bad. For example, government authorities are now putting much more weight behind cracking down on ransomware attackers. So, while we can take solace from this, I do wonder what the next line of attacks will be. I don’t think we’re ever going to see cyber criminals able to act with abandon like they did for such a long time, but it does force them to get more creative in their approaches.
In that vein, it can be far too easy for an information security team to focus on preventing the bigger attacks and forget about all the smaller strikes that can flow in under the radar. “Business email compromise” (BEC), is the perfect example. This is a form of phishing where an attacker tries to trick a senior executive or someone with the authority to process finances into transferring funds or revealing sensitive information. It doesn’t have the same level of long-term monetary impact as a ransomware attack might, but it can still be incredibly disruptive and costly in terms of the day-to-day running of your business. Training employees at every level on good security hygiene is an absolute must to help shore up these kind of easy entry points.
And that, for me, is one of the biggest challenges I see CISOs having to face today: how to stay focused on what’s important without lurching from trend to trend.
They’re also having to balance this with lack of control. Control is something that CISOs need to accept they will never have. The global pandemic is one obvious example, but there are other factors, like a government official making a statement, that can, in the space of a day, have a direct impact on the landscape in which you are doing business. It’s important for the modern CISO to understand how to navigate frequently changing hybrid environments.
But what if you’re struggling for resource to do that? I’m very fortunate to have a whole team behind me as we traverse the risk terrain, but there are still some businesses out there, even larger ones, who don’t have internal IT or information security, or even access to external support.
The reason for this is, generally, that the level of risk has not yet become apparent to the organisation, so the investment goes elsewhere in the business. The crucial factor here is that importance of cybersecurity is being misunderstood. In the 2020s, it needs to be considered as a cost of doing business. Making the investment now to get a robust security plan in place is key to avoid losing out later when you’re inevitably targeted by an attacker.
If I could give CISOs or other executives in these scenarios one piece of advice, it would be to verify that you know what your risk is. If you don’t have an internal security team, reach out to an external consultancy and ask them to do an assessment, simulating the kind of attack that your organisation might have to face. Only when you understand how effective your defences are and, more importantly, how good your response could be, will you be able to make a case for an appropriate level of support for your business infrastructure.
I would still argue that “the basics
” are the most important thing you can do. But let’s not call them basics any more as that implies that they’re easy to implement, when in reality they’re actually very hard to consistently execute. As far as a cybercriminal is concerned, they don’t care if you’ve managed to get 99.99% of patching done. All they need is the one machine you missed. And that’s the core challenge. An attacker only needs to find one hole, one place that you’ve overlooked or not yet reached. So, ensuring all your bases are covered is an enormous job for CISOs and their teams and not one to be undertaken lightly.
So, what constitutes good enough? Sometimes, you’ve just got to find a way to patch all the holes, because if you leave one, you may as well not have done it at all.
Our award winning CISO
Quentyn was recently awarded a place in the CSO30, which recognises senior security professionals in the UK for demonstrating outstanding contribution and thought leadership both within their organisation and amongst the wider cybersecurity community.