Digital Magna Carta time?

Recently I seem unable to avoid reading material on security risks associated with the use of technology.  It is certainly a good thing that the topic has a growing profile as that can positively drive upward awareness of the risks.  However, I do worry that many articles only tend to articulate the risks and remain silent on the potential benefits arising from technology enabling our lives.  Writing about the dangerous downsides of how easily Internet of Things (IoT) context devices can be hacked will definitely get attention.  This is fine if we also gain the value of people being more aware and then engaging on an informed basis with technology and related information security risks.

I noticed recently that the New York Stock Exchange (NYSE) had sponsored and circulated a publication called Navigating The Digital Age: The Definitive Cybersecurity Guide (for Directors & Officers) to every NYSE listed company board member.  This was produced in partnership with Palo Alto Networks and a wide and impressive range of contributing writers and organisations.  I found it an excellent read.  What I particularly liked was the recognition clearly conveyed that people as much as technology (or process) are at the heart of both the information security threat and the defences.   The need to educate both the consumers of technology enabled solutions and those operating and defending them was well articulated.

The criticality of all of us being aware of the risks to our data and the steps we can take to mitigate them is becoming clearer to most people.  The publicity around corporate hacks like Sony and the recent press around the cyber “front” in the current challenging situation in the Middle East are hard to avoid.  However, in recent weeks the questions I have been asked most often around information security have been related to stories on many and various IoT devices that have allegedly proved vulnerable to hacking.  People have raised many concerns with me on a wide range of devices from connected car systems to house alarms to healthcare wearables to pacemakers.   I remember reading, but annoyingly cannot now find, an article which used the term “Internet of Nosey Things” in its discussion of the type and value of data involved.

Digital Law - shutterstock_120641284 (2)

Indeed the ISACA 2015 Risk Reward Barometer declared that its 7000+ contributors saw IoT as being the prime area of information security concern.  The survey reported that over 70% of respondents saw a medium to high likelihood of attack via such devices either in the consumer or in corporate context as they become more common in the workplace.  This concern is then compounded by the (ISC)2 Global Information Security Workforce Study 2015  which forecasts that we will simply not have enough security skilled people in the workforce to provide adequate defences.  They see the gap being as many as 1.5 million security workers too few by 2020.

If that forecast proves true then we need to have placed information security at the centre our technology design process.  In fact if you look at the automation and machine to machine implications of IoT then we clearly have to ensure our defences are not operator dependent.  The imperative to automate defences is nicely highlighted by the HP Cyber Security Report 2015.  This is a sobering read of results from interviewing 252 companies in 7 countries.   What particularly stood out in the material is that the time to recover from a cyber-attack has risen from 14 days in 2010 to 46 days in 2015; that the number of successful attacks reported has risen by 46% since 2012; and that the average cost of cybercrime per participating company was $7.7m.

So having started saying I was wary of scare mongering articles on information security I have now drifted towards the negative perspective.  It is quite hard to avoid when considering this topic I fear.  As the benefit delivered by technology is huge and alluring so does it comes risk and as ever some people don’t see a problem with acting illegally to make money.  In that sense this challenge is nothing new and we have a good track record across many societies of working out how to protect ourselves (eventually?!) from such threats.

Magna Carta - shutterstock_287752943 (2)

Perhaps we do indeed need a digital age Magna Carta or its mirror incarnations across the globe.  The content of this updated Magna Carta was built on the input of over 30,000 people having begun as an initiative focused on school children.  The British Library site hosting the debate has lots of other excellent material worth reviewing.  The good news is that the debate is still open as to what this digital age Magna Carta should state. Why don’t you go and place your vote?

Images via Shutterstock,com.

Far Too Few!

Like many of us I tend to notice articles flagging up the next big skills set demand wave.  Recently an article caught my eye proclaiming that now is the time to have cyber security skills.  A recent study called Global Information Security Workforce 2015 released by (ISC)2  reports that there will be an estimated 1.5 million people too few with skills in this key area.  The study has been conducted annually since 2004 reporting a workforce shortage at each time, however it seems that the supply to demand gap is now accelerating.

The importance of this workforce aspect in relation to cyber security demands is also highlighted in a report I recently read by Accenture entitled “Intelligent Security: Defending The Digital Business“.  In it they summarise the most common issues challenging organisations in having an effective response to cyber security, namely:

  • Linking security and business.Tie security programs to business goals and engage stakeholders in the security conversation.
  • Thinking outside the compliance (check) box.Go beyond control- or audit-centred approaches and align with two key elements: the business itself and the nature of the threats the enterprise faces.
  • Governing the extended enterprise.Establish appropriate frameworks, policies and controls to protect extended IT environments.
  • Keeping pace with persistent threats.Adopt a dynamic approach including intelligence, analytics and response to deal with a widening variety of attacks.
  • Addressing the security supply/demand imbalance.Develop and retain staff experienced in security architecture planning and design, tools and integration to increase the likelihood of successful outcomes.

Supporting the report they also have a very good infographic that is worth a visit “Take A Security Leap Forwards“.

The point Accenture make that compliance to a given industry’s cyber security regulations is only a good starting point particularly resonates.  This is a discussion I have had many times over recent months with colleagues.  Meeting compliance requirements is only the minimum level to achieve.  It also often tends to be associated with relatively static time based audits rather than  real-time monitoring and indeed adaptation.  It is pretty clear that the sophistication of externally originated cyber-attacks evolves extremely rapidly.  The points attacked are those where defences are strongest and in the hyper-connected digital world securing the perimeter or specific “citadels” within that perimeter is challenging.   The defenses need to be real-time, automated, holistic and appropriately funded to both meet the risk and reflect the asset value.

It seems to me that the last year or so has seen a growing understanding of the importance of the Chief Information Security Officer (CISO) role. Based on hearsay it seems that they are having an easier task in obtaining adequate funding for their function.  Of course the tooling needs to match the sophistication and evolutionary pace of the cyber attackers.  The CISO needs to be enabled to engage with new and disruptive technologies as their emerge so they can define a layer defensive strategy that does not become perceived as a blocker but rather adding value and an absolute necessity.  Constructive, frequent and open access to the senior leadership team of any business is critical for a CISO that is empowered to bring real value to their organisation.  Often the decision points will be difficult as concepts such as innovation, agility and pace are confronted directly by valid concerns on information integrity and protection appropriate to the value it represents.

cyber security - shutterstock_204844114 (2)

As ever in the world of technology there is money to be made by vendors providing tooling that enables appropriate levels of security in the digital world.  A recent Financial Times article by Hannah Kuchler highlighted that the cyber security market is now estimated as a $15bn-$20bn over the next three years.  The article reports that venture capital funding flowing into this area exceed $1bn for the first time in the first quarter of 2015.  Apparently the venture capital funding for the whole of 2014 for cyber security was $2.3bn, itself an increase of 33% over 2013.  The money is certainly flowing into the cyber security space.  Given the recent experiences of Sony and the publication of information the hackers extracted by WikiLeaks it does start to seem rather unsurprising.

All that said I do think many organisations face their biggest cyber security risk from threats that are far from new to us.  The first is the often depressing factor of your own company’s people doing something that in hindsight they would fully accept as being dim.  This is often despite the act exposing the corporate information being heavily and frequently communicated as unacceptable.  However, in my career to date the threat that has caused me most issues has been obsolete software.  Obsolete software that is not listed in the IT asset database and might be lurking under a desk or part of the “shadow IT” world procured on a credit card and forgotten.  This software is no longer being actively patched for security vulnerabilities by the vendor.  It is so easily missed and the first time you become aware of its existence might well be a very unfortunate moment.  Sounds trivial compared to the sophisticated cyber attacker but it does represent an easy access point for them.  There are many examples of obsolete software that has been around long enough to be very well embedded.  The next one I think might create a few issues for many of us is MS Windows Server 2003 which goes out of support in mid July 2015.  Might be worth another check to be sure you will have no surprises in late July?

Image via