With the number of cyber-attacks on businesses increasing every year, there are growing calls to fundamentally change the way that companies view cybersecurity. Gone are the days when a small IT department could safely protect the data of a huge multinational. From the boardroom to the reception desk, all employees must be engaged when it comes to cybersecurity, and the growing danger of insider sabotage must be taken very seriously.
European CEO spoke to Andrew Fitzmaurice, CEO of Templar Executives, about how the firm is working to modernise the cybersecurity industry and help companies safeguard their data now and into the future.
Cybersecurity has been a hot topic for a few years now. What is the current state of cybersecurity awareness?
Despite the daily reporting of adverse cybersecurity incidents, the current state of awareness and understanding is still surprisingly low. In Templar Executives’ experience, there are a number of contributory factors. Primarily, there is still too much belief, in spite of overwhelming evidence to the contrary, that this is a problem that can be wholly solved by the IT department.
There is also a tremendous amount of hype and complex terminology surrounding this agenda. This is compounded by a cultural misalignment which makes it challenging for organisations to take a holistic approach. These factors alone allow boards and the business functions of many organisations to view cybersecurity as an IT issue, and justify keeping it at arm’s length. In our experience, the most successful companies we work with are those that have built on their awareness; they see cybersecurity as a legitimate business process that is applied to measure the successful optimisation of all areas of their organisation, and not something that is viewed as conventional ‘security’.
The cybersecurity landscape is a complex one – what’s new for 2016?
It is inevitable that, as technology evolves, so will threats. However, a new trend we are experiencing is the growing organisation, intensity and targeting of attacks.
There has been a significant increase in ‘spear phishing’ against executives, often achieved by using information obtained through social media, malicious telephone calls and ‘humint’
There has been a significant increase in ‘spear phishing’ (targeted scam emails) against executives, often achieved by using information obtained through social media, malicious telephone calls (vishing) and ‘humint’ (intelligence gained through human interactions). We are also seeing the supply chains of larger organisations being systematically exposed as attackers exploit vulnerabilities to gain entry into an organisation. In this process, the attackers are also successfully targeting the supply chain itself, which often owns valuable intellectual property and resources. 2016 is also the year ‘ransomware’ hit the headlines; two years ago this phrase barely registered, but in the first quarter of this year ransomware attacks in the UK, targeting individuals and businesses of all sizes, are estimated to have grown by a staggering 3,500 percent. Finally, the growing insider threat is forcing organisations to consider the human factor when addressing their cybersecurity agenda.
What challenges face those wanting to make a difference?
One of the key challenges for those looking to make a difference when it comes to cybersecurity is how to overturn cultural practices that exacerbate the risks and make it impossible to stay abreast of the evolving threat landscape. Another is ensuring the organisation has a collective business-focused understanding, from the board to the front line, of the cybersecurity strategy, and that this is supported by proactive governance. Underpinning all of this is the challenge to ensure consistent and relevant education and awareness for employees.
Addressing these challenges will build agility and resilience. However, a successful programme also needs empirical data to demonstrate a tangible return on investment – a challenge very few are able to meet. It is noteworthy that one of our signature case studies is a multinational company that has tracked how it has benefitted from adopting Templar’s business-enhancing approach, and has recently reported a return of £7.5bn on a £30m investment.
From a CEO’s perspective what options are there to address the growing cybersecurity issue?
The approach many CEOs take to cybersecurity will be shaped by the type of business and the sector they operate in, including compliance and regulatory pressures. Obtaining a holistic assessment of the organisation is fundamental to making and prioritising decisions. We advocate that CEOs start with an independent cybersecurity health check, carried out by credible specialists. The results point CEOs towards decisions around those standards and the levels of maturity that need to be achieved across all areas of an organisation: people, processes, culture and IT.
The right governance will embed the right mixture of technology, processes and education to ensure the organisation can operate safely and prosper. Any recommendations must be backed up with the relevant business case, showing the possible return on investment, rather than looking to secure investment based on promoting a negative agenda – the latter often has the effect of creating cynicism among CEOs, who quite rightly live by the mantra “don’t give me problems, I need solutions”. This approach will enable the CEO to translate information risk into business choices and options. By ensuring that critical information assets are identified, proportionate controls can be implemented to protect the organisation’s ‘crown jewels’ while allowing them to be exploited for the benefit of the business.
What role can technology play and what types of solutions should CEOs consider investing in?
Technology is an essential element of the holistic approach to mitigating cyber risks. As well as a first line of defence, it provides the capability to prevent, monitor and react to the threat. A key part of our health checks and audits is a technical assessment which also looks at the effectiveness of the technology in terms of implementation and the user community. Our recommendations to help clients improve their cybersecurity maturity and resilience are tailored to meet the needs of the organisation, and take into account the return on investment and associated benefits.
Technology is an essential element of the holistic approach to mitigating cyber risks
There is a natural rhythm to the needs of an organisation, but we are increasingly seeing less cybersecurity outsourcing from larger organisations, as they consider building their own security operations centres. To make this economically viable, we will often advise on it being a hybrid solution involving some external monitoring augmented by clever network-based tools which, for example, give visibility of end-user activity in real time. This market-leading type of solution can help address issues proactively, and can also be used to mitigate against the growing insider threat that companies face.
What is your view on the professionalisation of cybersecurity, and what does the future hold?
Over the last few years, there has been much debate about the skills and career pathways that need to be developed in order to facilitate the growing demand for cybersecurity professionals. Increasingly, endorsement of individuals is done through qualifications, and we have seen a noticeable uptake of professionals applying to take GCHQ-certified courses through our world-class Templar Cyber Academy. Professionalisation of governance roles is particularly important for organisations looking to develop their cyber-maturity and resilience, as it is vital to ensure an alignment between responsibility and accountability for cybersecurity.
Although many organisations use the CIO role to bridge the gap between the technical and business sides of the coin at board level, we see the role of the chief information security officer (or CISO) gaining greater strategic importance. In terms of the future, there is no doubt that cybersecurity is a growing international market, and increasingly it is pedigree, track record and people expertise that will differentiate companies in the global arena. At Templar Executives, our aim is to remain the trusted advisor of choice when it comes to making cybersecurity a business enabling proposition for all of our clients across the public and private sectors.