A cyberattack is probably one of the worst nightmares a company can face, especially as digital systems evolve, data proliferates and technology advances at pace. Business can be interrupted, consumers’ information can be compromised, and reputations can suffer – and managing risks is arguably more complicated than ever.
The challenges for security professionals are many and varied, including how the risk of an incident is presented to board directors and ways in which buy-in and budgets can be secured.
For Tony Burton, managing director for cyber and trust at consulting and manufacturing firm Thales, one of the toughest questions to answer is how resilient is resilient enough – and how do you measure it?
“If you go through the cycle of detecting [an incident], finding something, doing something about it, trying to respond, there’s an impact to the business and you can see that it’s tangible,” he says. But resilience is a product of many variables, including the training people have and how often tools are updated, he adds.
“All of which need a level of investment, which ultimately boards need to sign up to,” Burton says.
Key challenges
For James Humbles, head of IT governance and risk at credit company Novuna, these tough board conversations are starting to happen, especially in the face of financial services regulation. “This is the level of risk your company is exposed to, is that acceptable? Is that within tolerance, or do you need to spend some money, or do you need us to find a … different solution?” are some of the questions being discussed, he says.
Getting the investment right is a balance, according to Mark Woods, chief technical adviser, EMEA, at enterprise resilience platform Splunk. “When it comes to systems, I talk about stability, responsiveness, and predictability and you can’t have them all. Normally, when you make a big investment, are you making that investment for stability or responsiveness? Often, the focus is not made clear. Typically, you surround that with something that is going to give you a level of predictability,” he says.
Richard Frost, chief information security officer at insurance firm Esure, puts in place key risk indicators (KRIs) and key performance indicators (KPIs) which he discusses with the company’s risk committee every month. But what he finds challenging is the thousands of vulnerabilities in the cloud – Esure is in the middle of a digital transformation – and working out how to prioritise them.
“Security should be proactive, where we should be secure enough to allow the business to disrupt the market … what that means is we need to have the best security controls possible – which means big investment,” Frost says.
Future proofing
Long-term business strategies also require a proactive approach to security. Dunnhumby, the data organisation owned by Tesco, is about six months into a three-year plan, and the company’s chief information and security officer Martyn Booth is working on getting the security team ready for that time when the risk profile will “dramatically shift.”
“Strategically [we are working on] understanding where the business is going and what they need from us when, so that we can prepare backwards in terms of budgets… and getting buy-in from the relevant stakeholders,” he says.
In many industries, technology is evolving at pace, and sometimes blending – as is the case in the automotive and energy sectors, which are working together on infrastructure for electric vehicles (EVs).
The UK’s ambition to stop production of cars with combustion engines by 2030 will require innovative ways to make sure there is enough electricity for these new EVs. “The real challenge is in the information that allows all of that to happen – it has to be accurate and dependable,” Burton says.
In the face of competition from outside nations and even potential organised crime, the threat landscape needs to be considered early on, he adds.
Esure’s Frost aims to get senior executives involved in projects early so they understand what’s required from a security perspective – and how much it might cost. “I’ve been in situations at other companies where all of a sudden, security comes in at the last minute and says: ‘this isn’t good enough,’ and that can cause friction,” he says. Frost now has security architecture reporting to him, as well as having development security operations engineers, so that he can “embed” security into different teams, he says.
Business culture and teams
Having teams from different disciplines work well together is something many of the panel are grappling with. Dunnhumby has around 1,200 developers, and one challenge is having technology teams embed common ways of working, says Booth.
“We just can’t, as a security team, be expected to hook into that many different ways of working and have a flexible enough process that will cater for effectively 700 or so different ways of doing the same thing,” he says.
Making sure security is consistent in its application is also a challenge for Dunnhumby. “It involves lots of soft stuff that we’re not as good at as security professionals – like cultural change – we’re trying to work out how to crack that,” Booth says.
Collaboration is important for Humbles at Novuna, who spends a lot of time with the organisation’s security architect, who reports to the chief technology officer, as well as the head of information security, to make sure their activities are aligned. “We make sure that the [people on the] projects know their boundaries and how far they can go before they need to come and do a sense check,” he says.
One of the challenges when talking about resilience and security threats is that most people within a business are not experts, Woods points out, and they may not engage with documentation about risk profiles, because it’s intimidating, or people feel they don’t have time to understand it. He suggests trying to communicate in plain English what assumptions are being made by the business and visibly show how this contributes to a resilience risk.
Skills challenge
Another issue the panel brings up is a shortage of talent. “A real challenge in the UK is access to all of the right level and volume of skills to be able to deal with … everything from cybersecurity through to the broader resilience [of a business],” Burton says.
For Woods, being honest about the impact someone may have in an organisation is the best policy. Technically astute people, “who could go pretty much anywhere,” will see through corporate-speak about a company’s purpose, he says. “Be really specific about the things that they need [to do the job], and the things that you’ll train them on,” he suggests.
Other participants advocate apprenticeship schemes, with Novuna having apprentices working across various IT functions. “The sooner we get them, and get them engaged, the better they become,” he says.
And Frost’s approach is to give people what they want. “If you go through a transformation, you’ve got new, interesting work - and people love those things.”
The challenges for security teams are coming fast and furious, and alongside providing interesting work for teams, they’re set to keep firms busy for the foreseeable future. But the strategies for success are clear: work with senior leaders to help them understand what’s important early on, focus on a collaborative culture - and one that communicates well across teams - and work hard to attract new entrants. And - be sure to speak in plain English.