Chair: Martin Gill

Panellists:
Monica Verma – CISO, Speaker, Podcast Host & Producer for We Talk Cyber, and Award Winning Security Advisor
Sarah Armstrong-Smith – Chief Security Advisor at Microsoft, Non-Executive Director and Keynote Speaker
Greg van der Gaast – CISO, International Speaker and Author of “Rethinking InfoSec”

Key points

As Monica Verma says, this is a critical topic. There is a lot of technology, there has been a massive digitalisation process, spurred on by Covid-19, that is a lot of area to attack. Three sectors in particular have witnessed increased cyber-attacks: energy, healthcare, and manufacturing. Most commonly the purpose has been financial again. Monica warns that this is not a zero-sum equation and underlines the importance of operational resilience; offenders can never be beaten all the time but the aim is to make life difficult for them. She calls for a shift in mindset and for finding better communication strategies; there are too many entities speaking different languages. While network separation is important this is only a part of the solution, procedures and people count too.

Sarah Armstrong-Smith notes that cyber-attacks are no longer new. That said she highlights a new recklessness in that offenders are prepared to go one stage further witnessed by a commitment to attacking hospitals and supply chains, she asks, ‘how far will they go?’ This threat is coupled with more focus on fake news about elections, Covid preparedness, vaccine safety, which are destabilising; financial gain is only one motive. These days the attack vector is wide, offenders merely have to find one weak spot in a massive complex array of systems. The cloud for example is massive, busy and includes numerous analytics but the human element in interpreting these is crucial. However, expect to be compromised.  The overall objectives are to focus on prevention while slowing down attacks and being agile enough to respond effectively when they do happen. Patches are important but they take a lot of work and the time they take creates opportunities for offenders. The real aim is to build security into the initial design but the rush to generate business often renders this common-sense approach illusory.

Greg van der Gaast highlights the importance of organisations being effectively resilient, although it is not easy as there are so many points at which a breach can occur. That said, he argues that the root causes are similar, and hence the importance of building in effective security at the design stage. You will hear an interesting discussion which Greg leads on the rather poor achievements of the information security sector over the last two decades. He criticises the silo mentality and the way organisations follow the similar (stereotyped) approaches despite contexts varying according to threat, assets to be protected and budgets available.  He also laments the obsession with standardisation and the need to shift thinking. Within organisations the key for CISOs is to get the support of the hierarchy, the lack of direct access – which is common – is no excuse, it is too important.

For the non cyber security world this webinar will attract attention, many issues that have been aired in previous webinars about the physical security world are mirrored here. The panellists identified many challenges, not least the size of the target for offenders, but also some of the endemic difficulties in responding. That said, there is much we can learn too, the need for security to be involved at the design stage, the value in being connected to key stakeholders not least the major decision makers, and the need to communicate more effectively have a familiar ring to them.

Martin Gill
29th July, 2021