Grant Powell MBCS spoke to Steve Sands, BCS ISSG Chair & Data Protection Officer at Synectics Solutions, and Robert Felthouse, CISO at Synectics Solutions, about the need for greater synergy between the boardroom and security departments when it comes to dealing with cyber threat.
Cyber attacks are growing in frequency and complexity. The advent of Ransomware-as-a-Service (RaaS) is causing major headaches among IT security professionals while state-sponsored cyber-warfare threats have risen as a result of the war in Ukraine. In recent months Royal Mail suffered a ransomware attack from the Russian-backed group, LockBit, while outsourcing firm Capita believes the total cost of a recent cyber attack on its services to be in the region of £20m, including recovery and remediation costs, and a significant investment in reinforcing its cyber security provision. In recent days the list of organisations affected by the MOVEit mass hack has grown too. Now, more so than ever, it’s time for organisations to ensure that their departments, driven by the board of directors, are all on the same page when it comes to understanding, preparing for and mitigating threat.
How can an organisation become better prepared to respond to a cyber threat?
Robert: It's ultimately the board of directors’ responsibility to ensure their organisation is prepared for every eventuality up to and including a cyber attack, and the fallout from that. It’s vital that board members are very much clued-up and involved in what’s happening within the organisation from a security perspective, around data, its availability, its integrity and its confidentiality. Data availability is vital for many systems and applications, but less critical for others. Whereas confidentiality, and the potential for it to be broken as a result of a data breach, is what scares everyone the most. Data breaches are the nightmare scenario that I think keep most CISOs awake at night, which is exactly why a joined-up approach is needed across all levels of the business.
Why is the loss of confidentiality, rather than simply the loss of data, such a critical factor?
Robert: Once the data is gone, so is its confidentiality, even if you have retained a copy. By way of an analogy: if someone steals my car, I no longer have it. If my car comes back, I've got my car back. I'm now in sole possession of that car again. But, with data, because the asset being stolen is digital, we’ve got to assume it has been copied. This raises all sorts of obligations for reporting, and you've got to consider the business impact and your reputational impact. It's very public at that point and it doesn’t matter who you are, you probably have a responsibility to report. So yes, while you can possibly decrypt the data following a ransomware attack, or restore it from your backups, its confidentiality may be impossible to get back.
Why is an understanding of business functions important for IT and security teams?
Steve: Security teams need to know what the business drivers are, what the business initiatives are and what security needs to be in place. IT security needs to be enabled around business functions. The easiest thing in the world would be to just say ‘no’ to everything, to lock everything down. But you can't build a business that way. When looking at business opportunities it’s important to gain a thorough understanding of what new risks they might pose and how IT and security teams are going to mitigate those risks. There has to be an ongoing dialogue between board and security, IT, engineering and any other relevant teams. Regular engagement is key and stops security becoming a forgotten entity at senior management and board level.
What makes a board-level relationship so important to an effective cyber security strategy?
Robert: It’s about being prepared ahead of time, because after-the-fact it’s simply too late. Obviously, if there’s an incident it needs to be dealt with, but it’s all about what you have up front in terms of your plans and strategies for dealing with an incident. At Synectics, and I’m sure this isn’t unique, we have a security improvement plan which is continually evolving.
Every year we set objectives to determine how we're going to improve our security posture throughout the year and identify the key areas of focus. The threat landscape will change, and similarly new business opportunities will arise. We deal with this through constant communication across the business, so that strategies can be adapted accordingly. The CISO then reports to the board, and we have regular meetings with board members to gain their buy-in around what the security improvement plan will look like and how it ties in with overarching business objectives.
How important is language when communicating with the board on security issues?
Robert: It’s important to be able to have a conversation about security without getting too technical, because it’s not something they need to hear at board level. It's true and it's relevant, but what’s important here is how it affects the business: what is the business impact of a situation? What are the regulatory requirements? What's the service impact? What's the client impact? It’s about ensuring that the critical nature comes across without losing the interest of those that might not understand the technical terminology. In the event of a security incident the board needs to be updated as to what is going on, what the progress is and what the impacts are.
“If the first time a security person engages with the board is when something's gone wrong, that's a tough room. If there's no pre-existing relationship to fall back on and no understanding of what the criticality of the affected areas are, then that’s an incredibly difficult first conversation to have.”
Steve: And I think this is where that relationship and the ongoing dialogue with those at board level is absolutely fundamental. No matter what the nature of the business, it’s vital that security and IT have a presence in front of the board to cement those key relationships. If the first time a security person engages with the board is when something's gone wrong, that's a tough room. If there's no pre-existing relationship to fall back on and no understanding, from a board perspective, of what the criticality of the affected areas are, then that’s an incredibly difficult first conversation to have.
Do you think there are still businesses that are woefully underprepared for a breach?
Steve: There certainly will be, and often this can be driven by a misconception that they are maybe too small to be attacked and have nothing of value to steal. In fact, quite often the small ones are the easiest ones to breach because they're paying less attention, or they haven't got as much money to invest in security. Smaller businesses may be stakeholders of larger businesses, and this can create problems when a malicious actor utilises weaknesses in a smaller company’s systems to infiltrate a larger company, because they won’t be expecting the attack to come from a trusted source.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
Robert: There are those companies that create risk by wilfully not following security protocols, while there are others that struggle to do so because of the industry or sector they work in and potential non-availability of funds to put the relevant defences in place. It's quite an investment to secure any kind of company, yet it’s essential in the modern world with so many prevalent threats. Schools, for example, have a particular problem because they don’t have vast amounts of money to spend on security, yet deal with huge amounts of personal data that need to be kept secure. This presents an ongoing challenge.
Who should organisations go to for help and advice?
Steve: There are plenty of resources out there. The National Cybersecurity Centre (NCSC), for example, has recently been reminding businesses not to hesitate to contact them when they've got a critical incident or a crisis. If the expertise does not exist in-house, such resources really are the first port of call in helping businesses ascertain what's going on so that they can make a sensible assessment as to what the impact of an attack is going to be.
If you prepare, if you have those discussions and make appropriate plans, you can forge those key relationships. Then it’s literally just a case of picking up the phone and getting them mobilised, should you ever need to.
How can the right company culture, cascaded from board level, improve cyber resilience?
Robert: A culture of blameless post mortem around any security incident is crucial. It’s a model used by the aviation industry. And this doesn’t necessarily need to be just for big security breaches, it can be applied to general incident management. Everyone should feel safe to be transparent, because if you don’t have that transparency, you're never going to fully understand or be able to recover from an incident. Certainly, in an environment where no one dares to say what happened or why, you can't get to the crux of the issue, so you do need people to feel safe and confident in expressing themselves without fear of reprisal.
Steve: Another part of helping people feel supported and confident in doing their job is the use of training exercises. Such exercises are invaluable for letting businesses play out different scenarios and understand their level of preparedness, while boosting staff confidence and taking away the fear of the unknown. Such exercises, when carried out regularly, increase the likelihood of staff being able to implement what has been practiced in a real-life scenario.
Robert: An organisation that is fully invested in protecting its assets, with buy-in and steer from the board, an empowered security team and a proactive blameless culture, will be one that is well-prepared to tackle any major security-related incident, should one arise.