Chair: Martin Gill
Tarquin Folliss OBE – Vice Chairman at Reliance acsn (UK)
Richard Bach – Director at Kontago (UK)
Sachin Bhatt – Senior Associate at Schillings International LLP (UK)
Richard Bach starts by examining the concept (my word not his) of the ‘perimeter’. Pre Covid-19 it was clear what this was but the way events have evolved over the last 6 months or so it has become blurred, and one consequence is that it is no longer predictable. Remote working has created different vulnerabilities; there has been a re-drawing of the boundary and CISOs are being required to react to this new challenge. Employees are being asked to operate from their living rooms and their activities are largely invisible now. Moreover, organisations need their trust; their indulgence to be honest in a way that is different to before. Technologies can be the CISOs friend although good policy and procedures (reminding staff of the dangers and guiding them to solutions) are central too and this new environment is sharpening the senses of the CISO; it is new territory. As he argues, unless organisations find ways of managing these business risks effectively in the distributive environment then they won’t be able to operate. The challenge is to manage the risks as organisations move to the new normal.
Sachin Bhatt discusses the step change in pace for organisations as they adapt to something that has been thrust upon them. The need to have virtual offices has been a shock for some organisations and in this new world CISOs have found they lack the same control, over devices and over infrastructure. There is a need to look at different technologies and understand the ways they are impacting in an environment that is still changing rapidly. The new ways of working need to take account of the reality that staff can’t see how colleagues are working, they can’t so easily remind them of good practices or notice when bad practices start and before they become habits. Nor can the use of devoices for multiple purposes be monitored so easily.
Tarquin Folliss mentions three words at the start of his opening statement: ‘control’, ‘perimeter’ and ‘revolution’. He discusses each. Interestingly he notes that although many organisations gave the impression that they were prepared so it was true that there was massive panic buying of equipment. Moreover, the first aim was to ensure business works and there was a sense of adding security afterwards. This is good for criminals who have exploited the loopholes. He discusses for example a rise in ransomware and email compromise leading to push payment frauds, and a rise in scams where criminals are preying on people’s fears. He echoes Richard’s point that CISOs don’t have the same control over perimeters now, the frontline is the server or modem or router of users; staff are not so connected to the centre and if they make a mistake they are distanced from help. He notes that all organisations are worried about data and control is easier when everyone is in an office, when people work remotely there is more emphasis on trust so caring for people is key. That said, we should not exaggerate the death of the office, it is there it is just different now.
What this webinar reminds us is that the territory is still evolving. We are still working through the changes and what the new normal will look like remains work in progress. The panel were not too concerned that crime was running rampant through the work of malicious insiders, but there is a need to ensure that technologies work, that people interface with them effectively, and that companies place an emphasis in looking after their people, that includes their mental health; there has never been a more important time for that.
6th October 2020