For many after the historic events in the UK, it may indeed feel necessary to don a metaphorical “full metal jacket” to survive what is an ongoing onslaught of the political landscape. Uncertainty grows and the decision to “Brexit” continues to have ramifications far beyond those that were considered by many, it seems.
Given these uncharted waters, we must look to our principles to steady ourselves. This is never more true than in the security community. Cyber threats continue to escalate, the capacity for intelligent risk analysis (end to end) remains never more relevant. The economic climate may be unstable but the economics of crime remain certain. So it behoves all professionals with responsibilities for both information and technology to arm themselves with a greater understanding of what is required to actually embed secure thinking across their organisations.
That being said, less of the cyber, more of the information view is required. This is not easy, given the legacy, at so many levels, that many are working with. Cyber is the domain in which the greatest threats to our corporate information is being realised. However, risks are coming from all domains – people, process, technology, physical – and now we can add politicians to this list! Professionals know this. Without having full knowledge of your information assets – without knowing what is important to your organisation and what could happen if that information fell into the wrong hands – you are actually running with a level of blindness that in and of itself creates risk(s) and ensures that you are not providing truthful reporting. But – and it’s a big BUT, “Security” is everyone’s responsibility – and everyone needs a LOT more understanding!
There is a US cyber security strategy, an EU one, country specific ones…. So what? It’s not stopping the rot. Corporate businesses are still supporting bad design practices as a result of not allowing the time required to design both safely and securely. Everyone is outsourced to a point of stretch that is unsustainable. In spite of Brexit, we remain full steam ahead on the preparations for the General Data Protection Regulation (GDPR), and with these come a requirement to be able to adopt a “full disclosure” approach to incidents and breaches.
We will also be preparing for adoption of the Network and Information Security (NIS) Directive, which is very much more a directive that operates at a government level but includes a requirement to establish “security and notification requirements for operators of essential services, as well as digital service providers” – with an explanation of who is covered by “essential services”.
Nonetheless, as per the “path to GDPR” picture, what is really required is good project management. In order to achieve the desired outcomes, which will include behaviour change (to deliver “privacy by design”), there is a lot of information required and a lot of understanding across the whole organisation. Security is everyone’s responsibility – and everyone needs a LOT more understanding! Procurement need to understand the implications of the deals being undertaken; so do Legal – and Legal need to not be looking to the Security community to educate them on matters of Information based legislation. Shame on them! Keep up with the law yourselves!
HR need to be much more engaged in helping to discipline badly behaving employees and support the need for showing good security behaviour as being an active element of annual appraisal processes.
IT need to be factoring in safety and security within all change management and future development – not coming to Security right at the end. None of this is rocket science; it’s not new news. Security is a collective. And much like all the rhetoric these past few months, stop believing the hype! The Security industry itself needs to look deep into its soul and reflect on the ethics of selling pipe dreams of layer upon layer of defence over the top of known insecure systems.
There are at least 85 different security tools from 45 different vendors. In an increasing “internet of things” environment, this approach is going to crumble and will embarrass us all. It’s a fallacy to think that we can cure cancer by putting a plaster on it – likewise the continued application of technology to a technology problem cannot be seen to make sense in the abstract!
In conclusion: ensure you know your information asset landscape; ensure you know the impact of the realisation of any threats to those information assets; and stop focussing on just all things “cyber”.
Act Now’s course on Information Risk & Security course runs in London and Manchester in October. See http://www.actnow.org.uk/courses/2015
About the Author
Andrea C Simmons, FBCS CITP, CISM, CISSP, M.Inst.ISP, MA, ISSA Senior Member has more than 17 years’ direct information security, assurance and governance experience. Andrea’s most recent role as Chief Information Security Officer for HP Enterprise Security was one of worldwide influence addressing Security Policy and Risk Governance seeking to support and evidence the delivery of organisational assurance across a wide portfolio of clients and services.