This document discusses cyber security and breaking down barriers to effective security. It summarizes that there is a myth in the UK that cyber attacks won't happen locally, but security is challenged by both IT teams who want control and business leaders focused on immediate costs over long-term risks. The document advocates educating IT managers and business leaders on real examples of attacks and translating technical information into understandable business impacts to gain support for necessary security improvements.
2. Contents
The Hollywood Myth
The IT Crowd
vs
Dragons Den
Examples
Conclusions
Questions
3. The Hollywood Myth
A VERY BRITISH PROBLEM
“It will never happen to us”
Major (US) brands get the headlines
Breach data is hard to come by
“We’ve not been hacked, our defenses are fine”
4. The IT Crowd
Offering help yet…
Seen as challenging their methodology
It’s my Castle, I’ll protect it
Let them take ownership
Smarter solutions reduce risk and expenditure
Advancing their status within the company
5. Dragons Den
“I don’t fully understand this, tell me what it costs”
“How much!! Why do we need it?”
“We have more pressing matters”
Explain the business effect
Translate into language they understand
Demystify the myth
Quick introduction of myself along with overview of topic:
Cyber security, hacking and espionage are often perceived to only exist within the realms of science fiction or spy thrillers. Attempting to convince individuals and corporations otherwise is often met with disinterest, malign indifference and in the some cases hostility. Much like the hackers we attempt to stop, we must find the flaws in these psychological barriers.
Brief overview of the subject headings:
The Hollywood Myth – Cyber crime and Hacking all sounds very ‘Die Hard’ or ‘Matrix’, it won’t happen to us.
The IT Crowd – Understanding how IT managers and teams feel under pressure / scrutiny and may perceive security professionals as a threat to their job. How can we get them on-side?
Dragons Den –The perception of IT security from a board level is that of pure cost. IT is a business enabler, however it rarely reduces cost. Fear is a useful tool, but what other languages to the board speak?
Examples - Different approaches for both the Board and IT teams is essential and we have discussed the approaches required. But what examples can we use to get our message across?
Conclusions - Round up
Questions - ?
We don’t hear it very often as it is well known that expressing such views are a sure fire way to bring disaster upon yourself, however how many times have you thought “it won’t happen to me”?
When we express such thoughts we are rarely conducting calculations on the exact probability of said event occurring, we often have no other justification for our naïve view other than “it happens in the movies, not to normal people”. The media in its own unique way has elevated cyber security issues to Bond esque levels. Maybe the consistent rise of cyber crime stories were not getting the readership when everyone perceived hackers to be adolescents in their bedrooms? Or maybe The Matrix made hacking ‘cool’ again?
Cyber security professionals run into this attitude over and over again, explaining threats, vulnerabilities, measurable risk and potential revenue loss is always met with nods of agreement. Yet when it comes to the crunch very few people are willing to rock the boat.
But why? What else adds to this misconception?
Major (US) Brands get the headlines, data breaches at Target, Home Depot, JP Morgan and Sony hit the news, however these brands are typically across the pond and suffer no major long term damage. Large brands absorb the damage and little information is available regarding the internal turmoil. Thus adding to the perception that these breaches and subsequent investigations had little effect on the organisation. Little is heard of the human cost, whether that be through stress or even redundancy.
Breaches are a highly personal matter to individuals, IT teams and organisations as a whole. The attacks themselves may have been facilitated by an employee clicking on a malicious link, would you own up? Maybe the IT infrastructure wasn’t patched to the correct level? Does the CTO tell the board it was his team’s mistake? The organisation appears to have leaked 75m customer account details, the reputational damage could damage our share price for the next 2-3 years. Can we keep this internal?
Without specific breach notification laws (which are coming) many organisations keep breaches to themselves, this exacerbates the perception issue for the cyber security industry.
Finally we come to the companies that honestly believe they are fine as they are. Again the media and Hollywood can take some credit, Hacks in the movies typically have a physical end result where as Headline hacks have the media output as their result. What we need to get across is the idea that hackers deal in data and whilst they are quiet within your system they can mine away to their hearts content. Once their gold mine is spent maybe then they will let you know.
IT teams can be a minefield when it comes to suggesting security products and services above and beyond what they are currently using. On rare occasions you may see an IT team embrace new security solutions and accept it for what it is, help. More often than not however we find that rather than offering help, you are perceived to be telling them that they are currently not doing their job to the fullest.
IT teams will also feel a sense of ownership and responsibility over the system they administer. After all everyone who uses it asks them for help which they are likely to (sometimes begrudgingly) offer, walking away with smug satisfaction on another crisis averted on a system only they truly know. Detailing how you would change their empire is never going to work.
The key to managing IT teams is let them take ownership of the project. Allow them to take the credit for their new solution that both enhances security and reduces current expenditure or risk. This both gives them a sense that they are enhancing their position in the company whilst gaining favor with the board. At the end of the day it will be the IT manager that has to convince the board to release the required funds.
Boards and C-Level executives have a very different perception of Cyber security. I was once told that having the IT manager tell you he wants to be on the agenda for the next strategy meeting was a sign of sure disaster. Does that mean because they think something may be going wrong? No, it’s because they know the IT team will be requesting more money.
Boards see IT as a business enabler and although it may increase productivity in certain areas it rarely reduces cost. IT is typically perceived as a support arm rather than a core business function and is therefore a necessary evil. Combine this with a lack of technical knowledge and most interactions between IT teams and Boards boil down to simple cost evaluations. If as previously mentioned we have enthused the IT manager sufficiently they will push the solution in a way an external service provider cannot.
Getting the value of a product across in this way (via a proxy) can be challenging, however
Using examples of current issues and case studies can only get us so far when attempting to convince organisations of their current risk. Again with the whole “it won’t happen to me” attitude in our midst these stories mainly fall on deaf ears.
There have been a spate of headlines detailing massive sums and huge data losses however they rarely put the losses in the context of human effect. Sony may require to spend $15m however what does this actually mean to the board and their employees?
IT teams are all too aware of the potential workload they would be under in such a situation however many have little understanding as to how easy they could be breached. I have found a key way to help both the Board and IT departments understand the risk is to actually show them how it works. [Technical demonstration]
What we have discussed leads us to the conclusion that in order to help clients secure their critical data and infrastructure we need to take a two pronged approach.
The IT teams must be given ownership of project and shown how by utilising new technologies and strategies they can reduce both risk and cost. This convinces them that we in the cyber security industry are not here to hinder them but to help make them superstars in their organisation.
The Board must be brought up to speed on current attack vectors and shown how easy they can become a victim. These events are not just happening in the movies or to major multinationals. By seeing how simple the attack vectors can be can help them realise the threat is very real.