Cybersecurity; Beyond the Emerging Truisms
Written by Robin King, Photo by Blue Coat Photos
So how on earth did this happen? I find myself writing this piece, by virtue of, what seems to be, a reputation founded on experience and knowledge gained over 20 years in an industry sector which has now certainly ‘come of age’. This thorny problem, relevant across the globe and in which I find myself in the mix of, is that of ‘Cybersecurity’.
Emerging through the changes, that saw the scope of the Information Security challenge increase, many will be aware of the reality that our presence in Cyberspace is not without danger.
Nations fear it as their next battlefield and organisations see their risk profile increase, as their place in complex supply chains, as both suppliers and customers, become inextricably linked and difficult to quantify and manage. Breaches of trust, privacy, and security all now teeter on the cusp of new financial penalties, which can dramatically affect a company’s profitability and sustainability. And, of course, the rest of us, in our roles as citizens, employees, voters, shareholders, parents, children and anything in between, are seeing new risks gradually emerge, by virtue of the news we see and the guidance we are offered.
It is very easy to paint a bleak and dystopian view of a world that has, too rapidly, embraced technology, without truly affording the adequate protection required for managing the risk associated with it.
So why have some fared better than others in their resilience to an attack?
Firstly the approach taken by defence and security organisations, considers risk in a very specific way. At the extreme end, the war-fighters rely very heavily on the critical systems that enable them to ‘reach’ their targets and are considered indispensable. As such, their risk profile is based on them not being compromised to the extent they are rendered useless and irrecoverable. There is almost no other option, as without them they are left vulnerable or incapable and the battle may typically be lost as a consequence. As a result, and as you would expect, stringent standards are set as to what level of protection is required, in relation to the specific risks that are faced. In the UK, this standard is set under the guidance of GCHQ (Government Communications Headquarters).
If we now consider a comparable situation for businesses; when a ‘critical’ system is compromised, there may be a disruption affecting productivity or some data is lost, but we rarely see that business fail. It may be damaged, to the extent that it may lose shareholder confidence or stock value, but in many large recent examples, of which there are plenty, quite often their response actually builds confidence and the business is able to continue in a patched-up state to ‘fight another day’. Clearly here the battle is not lost.
So perhaps the commercial systems are indeed ‘recoverable’ and the need to be able to survive an attack is somehow not worth investing in? But for how long can this continue to be the case?
What these contrasting perspectives highlight, is the reason why the cybersecurity approach taken by the defence and security community, has been very different to that taken by many commercial organisations who are now carrying significant and ill-managed risk.
To simplify the ‘defence-grade’ approach, think about ship design. This is traditionally based on compartments and bulkheads; critical in the design, to ensure that failure, at one point, does not compromise the integrity of the whole thing. If one compartment is compromised, this can be contained and managed without breaching further, meaning there is a good chance of survival. This approach now, reassuringly, forms the cybersecurity guidance being encouraged for those businesses responsible for the provision of our critical national infrastructure; energy, water, transportation, communications, food production, finance and key manufacturing sectors. However, I do fear there is some way to go here, as the cost of change and the necessary transformation is high.
Alas, much of the commercial world has not been ‘regulated’ or explicitly steered in this way. As technology has been universally embraced to enhance customer experience, improve operating efficiency, create new commercial opportunity and make caring and sharing a lot easier, the optionally-used ‘commercial’ security rule book sees no mandated use of the principles of solid information security to ensure appropriate protection.
The recent increased awareness of cyber risk, and the consequent rear-guard action to address it, still feels to me that the horse has well and truly bolted, leaving the stable door flapping in winds blown by the now ‘industrialised’ scale of cyber-attack.
It is now too easy to mount simple attacks on accessible and under-protected organisations and to reap large rewards in the process.
So, what does a brighter future look like? The benefit of having worked with some of the brightest minds, the good guys in the battle, tempers my fear for the future.
Innovation remains high and, with GCHQ having been given the responsibility, within Government, to address this challenge, I have seen a shift that recognises the need for pragmatism and the opportunity to share guidance and best practice that will offer simple improvements, for all organisations, in order to secure a significant advantage.
However, simply looking at the guidance offered by the National Cyber Security Centre (NCSC) will not improve the situation; some action does need to be taken and will invariably involve both budget and organisational change. It is, too often, easier to take the most enticing option; do nothing just yet and hope the guy next door gets hit first. However, some innovative thinking does offer hope. An emerging approach that considers ‘cyber’ risk from a different perspective, could be the game changer.
The opportunity to ‘invest’ in better protection, is more readily accepted when we consider what value ‘better-protected information’ offers. If we consider the commercial opportunity that investing in better protection presents, we can then re-orientate the problem to get the cybersecurity glass looking half full, so we can look forward with confidence.
And finally, here’s one for you to ponder. Whilst the term cybersecurity has been welcomed, in terms of highlighting the growth of the problem, it has been buried, for many, in the view that it is that ‘technical’ problem and therefore demands a ‘technical’ fix. This is dangerous. The reality is that ‘cyber’ is actually just a different component to risk, that exposes us to wider threats and vulnerabilities that are almost exponentially more open and pervasive than we have had in the past. Any actual damage only becomes material in the consequent nature of the impact; losing money, reputation, customers, capacity, business availability or the battle.
If I am ‘owned’ in cyberspace, whilst that may worry me, what I am actually fearful of is when that ownership affects my bank account, my power supply, the operation of my business, my family or my country. It’s no different to those other risks, out there in the wild, that we tend to address more instinctively.
As for supporting growth in Exeter, perhaps embracing the UK policy direction for improved cybersecurity, by striving for a strong and productive economy comprised of confident, resilient, differentiated and sustainable businesses, is the answer for us all.
Robin is an experienced, sales-focused business owner with specialism in the Cyber Security market. He has held senior roles within a range of companies, bringing together the skills of highly experienced teams to lead solutions and services into a range of public and private sector markets, notably the Defence and Security sectors in both the UK and overseas. He retains senior relationships relevant to the UK Cyber Security market including those with Government, the System Integration and Prime Contractor communities and with several Academic institutions. As a Director of BAR Associates, he is supporting a number of cyber security businesses with their growth through innovation and is supporting the UK Cyber Growth Partnership with their Business Accelerator and Mentoring initiatives.