Security is moving beyond being built in or bolted on, to being more agile in a “built beyond” model.
Speaking at the Cyber Security Summit in London, Mark Brown, executive director of cyber security and resilience at EY, said that trying to maintain 100 per cent security “is a false target” as a cyber criminal will take three, four or five minutes to buy malware which infects you, while businesses take three, four or five months to buy technology to defend themselves.
He said: “With risk management, human awareness has to be built in and if we focus on bolt on security, we will fail. There is too much focus on today than tomorrow, and too much of a static and reactionary approach to business.”
Brown said that he is seeing more evidence of security being built into projects and products, and that is now being considered at the design phase and not being retro fitted, as it is the right thing to do.
“Built-in requires about eight to ten per cent of cost, bolted-on requres anything from 30-40 per cent of cost,” he said. “Built-in is about being flexible, not about 40 page policies and prescriptive level on what you must do, and at most the policy should be two pages and that is the direction of travel and concept that businesses work towards.
“It is not about waterfall based progames, agile secuirty is something businesses are driving towards and we have to be driving towards this for the businesses of tomorrow.”
He went on to say that it is unavoidable to prevent an attack, not only built-in, but also in “built beyond” and it should be part of business strategy.
Brown said that ,many businesses have a design authority and a business decision process has a design authotity, and security is often not a part of it, so we should ask why. “It is not a business process, but a part of every process that exists,” he said. “To not have security bolted into the process will allow businesses to make the wrong decsions.”
He said that for tomorrow, we should take “our eye off today”, and not just in security operations, but we have been driven to cyber threat intelligence and it is not just about threat and vulnerability management, or exposures or penetration tests, but an auditory approach.
“Having a proactive approach will help you engender yourself,” he said. “There is no silver bullet from vendors and no one product will stop all cyber security threats, and if you accept breaches will occur and be confident that incident management will work, then we have to ensure that business leaders are aware of their role in cyber incident management.”
He concluded by saying that if we do not maintain trust from population, we will remain on a paper based system that hampers the efficiency of Government, and if we understand the threat and benefits, we have to rehearse and build plans that say “this will happen”.
“If we get good security and a good balance of risk and control, we can enable businesses and the UK to be the safest place to do business and create a digital economy.”