In this blog, CyNam Chairman Chris Dunning Walton talks cyber resilience with Paul Key, Group Chief Information Security Officer (CISO) for Capita. They explore the subject of what cyber resilience is and how it interacts in the wider cyber security conversation.
Paul Key is an accomplished security professional with over 30 years’ experience of strategy, leadership and communication at all levels, his background allows him to understand a wide range of business, privacy, cyber, security and IT issues covering architecture, service delivery, governance, risk & Compliance, technical, infrastructure, physical security, application / data security, policies & processes, strategy and business continuity planning, in both traditional and agile working environments.
Paul believes the way forward in security is to build relationships, listen, communicate and work together to overcome the multiple threats and challenges that face organisations today. Security is a team effort; we all need to be involved.
CDW: Paul, today we are going to talk about Cyber Resilience – let’s set the scene. What do you see as the difference between cybersecurity and cyber resilience – and why does cyber resilience matter?
PK: Let us start with the difference, Cyber Security is about getting the foundations right, making sure your business has the right people, processes, and technology in place to defend and reduce the possibility of cybercriminals getting into your organisation or disrupt your business. If we look at the NIST framework, in my eyes this would be the Identify, Protect & Detect elements.
Cyber Resilience is about how your organisation will prepare for and respond to an attack or cyber incident. Again, looking at the NIST framework, this would be the Respond & Recover elements.
So why does Cyber Resilience matter? It is a great question.
As we all know, you can never be 100% secure, there is always somebody out there that can breach a security control, due to this, organisations need to do everything they can to be able to respond appropriately to an incident or attack. Response needs to be structured, controlled, and delivered in the right way and at the right speed to reduce the impact on your organisation.
However, Cyber Resilience is not all about responding and recovering. It also includes continuous testing and improving the technology as well as the people and processes involved in all aspects of cyber and information security for your organisation 24×7.
CDW: Do you see Cyber Resilience as a part of Cyber Security or vice versa – e.g. is cybersecurity (keeping them out) just a part of wider cyber resilience?
PK: It’s a good question, I see that Cyber Resilience is the glue that keeps the cybersecurity elements together, as mentioned in the previous question, cyber resilience needs to include the continuous checking, improving and updating to maintain the right level of controls and posture for the organisation.
If we did not do this, the effectiveness of the controls would reduce over time as the threats change and increase.
CDW: So why do you think Cyber Resilience matters today?
PK: As said, we can never be 100% secure, there is always somebody out there that can breach a security control. Organisations need to have a leg in either camp – cybersecurity and cyber resilience.
Depending on the maturity of the organisation this will depend on where the focus is required, security or resilience.
Looking back to 2020, according to a report from Mimecast ‘the state of Email security report 2020’ 31% of organisations experienced data loss due to the lack of cyber resilience preparedness. I suspect this number is a lot higher across the globe. Organisations need to shift their thinking around security and cyber controls, it needs to move on from an IT issue to a business issue that touches every department function and employee in an organisation.
CDW: What are the key building blocks to developing an effective cyber resilience programme? How has Capita gone about this?
PK: There are many views over what makes an effective cyber resilience programme, in my view breaks it down into 5 building blocks – however before we look at those 5 blocks, we need to recognise and understand that people play a part in everything we do. We must not forget the human side of security.
Education, awareness, communication, and testing needs to be driven with human security in mind, technology cannot be the only control point.
Ok back to the 5 blocks!
- Back to Basics – Organisations need to implement the basic requirements for securing an organisation. NCSC define the top 10 areas as network security, user education & awareness, malware prevention, removable media controls, secure config, user privileges, incident management, monitoring and home / mobile working. In addition to this, I always add one addition areas – asset management – you cannot secure what you do not know you have got, asset management needs to include hardware, software and data registers.
- CISO Engagement – Over the last 5-10 years the role of the CISO is slowly changing, moving towards a more business-facing role which has relationships with the C-Suite as well as the security operations and risk functions.
- Testing – Defining, building, implementing, and reviewing a series of tests that assess and assure an organisation that its people, processes and technology are in place and working. These will be a mix of traditional IT Security Health Checks, Penetration Tests, Blue Teaming, Red Teaming and Purple teaming.
- Advanced Technology and Automation – Investigation of new technologies as they hit the market to address the ever-changing threat landscape. A focus on automation to reduce the manual analysis of data and workflows to improve and deliver standard, repeatable and consistent outcomes from a security perspective utilising machine learning, AI and other technologies – for example, SOAR at the SOC level, moving to more a proactive cyber defence model rather than reactive.
- Proactive Threat Hunting – Having the capability to proactively look at threat hunting for your business & sector, utilising a mix of people and technology to try to keep one step ahead of the curve for the organisation.
Capita as an organisation employs in the region of 50,000 people across the 6 different divisions, supporting all sectors across the globe.
Since joining Capita in January 2020, I have reviewed the various security teams, structure, processes, and technology used across the organisation. I have implemented a series of transformational changes that initially focused on the teams and structure of security to bring together as one. Now the team structure is in place, the security roadmap for 2021 focuses on the continuous improvement around testing, advanced technology, automation, and threat hunting, alongside my role working with the business and C-Suite advising them on risks, threats and plans.
CDW: 2020 has been a challenging and in many ways, a formative year for a new 100% work-from-home model which everyone has had to embrace. How has a distributed workforce model affected the cyber resilience of major corporations? What changes in approaches have been necessary in 2020 do you think?
PK: We all agree 2020 has been a challenging year in many ways, the impact of the pandemic touches all at home as well as at work. Whilst we all see light at the end of the tunnel in 2021, we cannot take our foot off the gas and sit back, we all need to continue to stay safe and protect our people.
The pandemic has changed the way we all think and work, from a cyber resilience perspective the focus areas include, but are not limited to the following areas:
- Communication & Phishing – at the start of the pandemic we saw an increase in COVID-19 related phishing attacks, due to this we increased our communications to all employees about spotting and reacting to phishing emails.
- Testing – As users transition from office to home environments, we recognised the need to increase our testing early on during the pandemic to ensure the organisation was prepared for the increase.
- Monitoring / Brace – We all know cyber controls and process can only go so far and can only be tested against known scenarios. I don’t feel any organisation could have predicted a global pandemic hitting, we took the stance to brace for disruption, i.e. increase monitoring to ensure we were ready to react.
CDW: We’ve seen most recently the hugely damaging aftermath of two large events – the FireEye cyber-attack and the Solarwinds hack. Both are by, reportedly, nation-state actors. What is your take on these?
PK: As we know the FireEye breach and SolarWinds hack is a shot across the bows of the security industry and security teams worldwide. The size and scale of the two incidents, when looked at together and the number of high-profile organisations affected is staggering.
As a security professional this brings home the point that we are never 100% secure. We can do everything in our power to reduce the risk, but somebody will always find a way to get in, state-sponsored or not, these attacks normally have a financial drive behind them for the hackers, for the right amount of money, hackers will break through controls and gain access.
CDW: So, if we look at FireEye specifically, the response from the security industry has been an interesting one with most people being supportive of FireEye, which is a turnaround from other high-profile breaches with say, Sony or TalkTalk. Knowing how seriously FireEye, a Cybersecurity company, take their security, does this emphasise even further the need to move to a high cyber resilience model?
PK: FireEye, SolarWinds, Microsoft, BA, Marriott, and all the other high-profile organisations that have been in the media recently – this should be a wakeup call for security teams to increase focus on cyber resilience, be prepared, know what you have, know your environment, know your team, test your plans, include your business, include your C-Suite, get them involved in the scenario planning so they recognise and understand the need to be prepared.
If you do not do this, and you do not know what is happening within your infrastructure and environment, and you are not prepared for an attack or breach, then you only have yourself to blame. With the information and data I have seen I believe FireEye have done everything they could to protect their organisation.
CDW: Do we need to accept that breaches are now to be expected – it’s how we respond to these which will determine success or not…?
PK: We all know there will be breaches in the future, should we accept this? No. It’s the how, who, and when you respond as an organisation which makes the difference.
There are so many organisations and communities available that can help, advise and even deliver services to reduce risk, create, test and manage cyber resilience going forward.
Without the right people, process, technology and plans in place then future security attacks will be successful.
CDW: So, let’s say you’re a CISO talking to the Board and the CEO about Cyber Resilience and how, in effect, nothing is totally secure and we need to prepare for the worst. How do you do that effectively, engaging the Board and ExCo without being seen as a typical “CISO Killjoy”?
PK: It’s a great question, and in true security fashion there is never a one size fits all, I can only talk about what has worked well for me.
My approach is quite simple, I break the key aspect of information and cybersecurity down into 6 areas:-
- Cyber Resilience
- Physical Security
- Governance & Assurance
- Legal, Regulatory & Compliance
Each of these has a clear risk statement attached to them, and then several controls in each with a control effectiveness score and risk score.
This allows me to set the scene and discuss where more focus is required in each area to be prepared for a breach or attack. Again, depending on the organisation, this will depend on the level of focus and activity in each area.
This approach allows for a regular update / cyber dashboard view to be presented at a high executive level, with the capability to drill down into details and facts where required.
Now we all know that C-Suites have various levels of knowledge, experience and understanding of cybersecurity, the CISO’s role is to remove the complexity and make it easier to understand, whilst keeping the seriousness of the subject. I have found that running desktop scenarios works well for Executive boards that are new to the CISO or are newly formed due to business growth/changes. The scenarios bring to life the role and responsibilities that the Exec’s play during a major cyber incident, but also helps strengthen the need to maintain the right level of investment in security and cyber resilience.
I am not an advocate of the ticking time bomb approach, or the fear, uncertainty, and doubt approach which in my experience, is short-lived. As a CISO you need to build a relationship with the C-Suite and have the capability to discuss at the right level that allows for ongoing engagement and leadership.
CDW: What would be your advice and guidance to companies developing a more evolved cyber resilience posture?
PK: Back to basics, know your environment, assets, people, technology and follow the ten steps from the NCSC. Always ensure you do not forget the human side of security, people can be your weakest link, but they are also your strongest.