Being pretty intolerant of other people is a stereotype that might not go down well with everyone in the IT crowd – although we know stereotypes often have some truth in them – I am a loud northerner, after all.
But today, Infosec Europe opened in London with a message from Intel Security’s Raj Samani that seemed to try to set the tone for a very different info-secure future.
“A lot has changed in the last 12 months. We’ve all read about major breaches, but I feel like we’re finally starting to ask the right questions.”
Those right questions are not, as the media would like us to believe “what was the malware and who did it?”, just implying there’s some geopolitical point to prove.
We know what happens when a major telco is breached, he said, referring to TalkTalk losing more than 100,000 customers after losing control of its data. We know that critical infrastructure is now a target, he added.
“Ransomware is groups of people working together to help people carry out attacks. All you need now is a bitcoin wallet and then to decide how much money you want to charge. And they’ve been doing this a lot longer than we have.”
That’s part of the reason Intel and BT joint-sponsored Infosec in its 21st year, Samani said, frankly, it’s time to grow up.
“We did this to show that we need to collaborate as an industry… Unless we collaborate as an industry, the bad guys will continue to make hundred of billions of pounds, euros, whatever, from us.”
But that no longer means just bad IT guys versus good IT guys. A company’s main point of weakness remains its naive, curious or narcissistic team of people, each with a mouse in their hand.
Security at work at scale
In a panel chaired by David Shearer from certification body ICS2, there was a pretty unanimous feeling that enterprise cyber awareness programmes suck.
“Broadly, if training just consists of repeating your cyber policies, you’re wasting money, time and the goodwill of employees,” said Professor Angela Sasse, director of the UK’s Research Institute in Science of Cyber Security (RISCS).
“Campaigns run to raise awareness to the public are pitiful too. There are three or four different websites giving different advice, which is not very helpful.
“But really, we need to clean our house before we ask people to change their behaviour. We give conflicting advice because it’s just rubbish.”
RISCS, which was formed as part of the UK National Cyber Security Strategy, recently conducted industry-leading research on the issue with HP Enterprise.
“One thing I’d highlight is that it’s not is a cheap option. First and foremost, you have to change the technology to make sure it does deliver in terms of security and then embark on the business change programme.
“If you want your awareness programme to succeed, you have to engage, engage, engage, with staff and managers.”
But she said that many IT professional are not yet equipped to deliver such programmes.
“There have to be soft skills in there, how to engage, how to be approachable, how to have positive engagement. People need more skills to do that successfully.”
Answering dumb questions
Thom Langford, CISO at huge advertising agency Publicis, agreed. “You have to be open to people asking a dumb question, let them be open to admitting they’ve sent out an entire database on email.
“You can’t fire them straight away otherwise no one will ever come forward ever again.”
Uber’s Security Awareness and Education Programme Manager Samantha Davison outlined how her company had got staff buy-in from the beginning in order to fend off cyber attacks.
“Attackers and hackers aren’t going to wait for a company to become best before going after platforms, data and people.
“TK [CEO Travis Kalanick, yep they call him that] is vital for Uber’s success. It’s obvious TK believes in it and that has a trickle down effect.”
During a recent US government cyber initiative, she said they’d had 70 per cent voluntary participation from staff. Yep.
“We’re in 70 countries, so one size fits all is never going to work for us… However, Uber is a big pool of millennials so there’s not a ton of age diversity.”
She criticise the idea “given by the press” that young people are the most difficult to train and said through gamification and team-based competition, they’d managed to avoid major breaches.
Of course, that same approach might not work with company of lawyers.
“The metaphor of security as a team sport is a really powerful one,” agreed Angela Sasse. “But that also means many executives need training, they can’t delegate this wholesale to technology teams either.”
We know now that technology is in everyone’s hands and so cyber is no longer just one person’s problem.
Will #Infosec17 be filled with great stories of companies putting this knowledge to good use? Here’s hoping!