Cyber has become a major part of attack and defence, and the board and business are as accountable as IT.
Speaking at the Cyber Security Show which is held under Chatham House Rule, a former director general of a Goverment intelligence agency who is advising for security companies, said he was struck by how much cyber had become the issue of the moment, and how cyber intelligence was a key part of modern knowledge.
They identified six key areas of cyber intelligence to understand and consider: people; person layer; device layer; control layer; network layer; and geography, and said that it was equally important that keeping legal firms up to speed with cyber was one of big challenges we face as it is often “divorced”.
“We dont have a legal context that can adaprt and move to the challenges we face,” they said.
Looking at major threat areas, they said that the first and most important element of defence is cyber intelligence, and understanding the nature of the threat we face and how it operates at this level. “We need a contextual background to make risk decisions and understand what is happening now on your networks to make informed decisions of a more tactical nature,” they said.
“Companies are often not aware of what is happening on their systems and unless you have awareness, all you can do is have effective response mechanisms rather than defence mechanisms.”
They acknowledged that selling security to the board is difficult if you are not a technical expert, but identified the key questions on understanding what your critical data holdings are, as this is not an issue just for the CIO but for the whole company to understand what is critical to you, and then moving on to the question of threat and getting real time visibility on known threats and working out the “unknown unknowns”.
“Then understand what you are trying to protect against, and then you are in a positon to set a risk appetite statement,” they said. “But we don’t find many who have gone through the process with real vigour so the board buys into cyber risk, and without it is difficult to know what the risk is according to where it needs to be.”
They acknowledged that when trying to fix the problems, it starts with people and an executive has to have buy in as it is about the business, culture and technical aspects as well.