See more - Cyber Security Executive Insights
Transcription
See more - Cyber Security Executive Insights
Cyber Intelligence The Deloitte Symantec Executive Dining Club A balancing act in security The Deloitte Symantec Executive Dining Club brings together the leading users and thinkers in Cyber Security at private dining events where participants can speak openly and in-depth about their Cyber challenges and the latest ways to address them. The latest event took place in Autumn 2014 in Central London. Facilitated by Paul Maher MBA Justin Buhler The Tasting Menu Antony Price 1. Poor board-level appreciation of the scale of Cyber Threat relate to its operations. Given the move There is still a mismatch between the blind faith in Information Security as ‘the investment required upfront and the last line of defence’, the consensus was increased Cyber Risks organisations Threat Intelligence services are ideal to face - until there is a public breach. This outsource to large specialist firms, who turns out to be a ‘blessing in disguise’ as have more resources to monitor them. Deloitte Symantec Tom Horne Ocado Vince Pillay Domestic & General Alan Hamilton to detection and remediation, rather than it frees up spending to realistic levels. Royal London There is also a lack of acceptance that all, Kevin Tongs not just some, hacks need to be reported Kier Group publicly and quickly. This was described as ‘Management by media story’. “As soon as you use Gmail you 3. The evolving role of IT Security The traditional role of IT Security around installing Anti Virus patches and resetting passwords is redundant. With a reputation of bringing bad news and 2. Complexity is driving the need to outsource preventing the business from producing There was feeling that users expect too roles which refer to data. As one diner much of internal IT teams. Most remain commented ‘It’s about distancing blissfully unaware of the consequences yourself from the IT department’. The key of sharing data using inappropriate is to make security controls as ‘invisible’ cloud-based storage and security as possible. In fact, rather like the threats services. A suggestion was to insource organisations face, security pros need to everything first, then outsource once be dynamic - another reason to distance the organisation has gained a full oneself from the traditional perception of understanding of the issues as they IT. results, IT Security is being replaced by have ceded control. Then your employees The discussion was framed around four open questions which provided the spur for conversation. • need to as IDC, is continuing to grow at rates in excess of 40% year-on-year, do boards manage their “ recognise this in their expectations about the IS organisation’s ability to defend own lives. against Cyber-attacks? • • Alliances Marketing Manager, Symantec 0203 637 0644 Are there examples of where the organisation is getting more complex and yet the required security is not increasing at the same rate? Contact Sarah Jarvis With the phenomenon of data growth which, according to industry experts such Which areas of the Information Security Portfolio do you believe need to be kept in-house, and thus you should be experts in, and which don’t? • Do you believe the skills market is keeping pace with Cyber Security Requirements? Sarah_javis@symantec.com Page 2 “ If a supplier The Main Course insists on showing us plans on their ‘Dodgy Share’ service, I have to take a risk-based approach to “ how much I want to see it. Statistics from IDC show data is growing in excess of 40% year-on-year. Do boards recognise this in their expectations about the IS organisation’s ability to defend against Cyber-attacks? “We have 2,500 people and need 20 lawyers to cope with all the issues which arise from data, which seems disproportionate. But this is a big issue. We have 14 million customers worldwide and 18 million customer records on our systems. Access comes from everywhere; internally, externally and from partners. With our need to comply with ISAE 3000 and our move to Smart Sourcing this issue is likely to get worse.” “Boards may not appreciate the growth in scope of attacks. We worked with a shipping company which was moving nuclear components and naturally got hacked by a foreign power. That focused minds.” “ IT works “Until recently, we had lots of little to help the business. fiefdoms, which presented challenges. Now we’ve embraced centralisation of support functions (e.g. HR, Finance, Procurement, etc), which makes data growth and data sharing more transparent. We are moving away from the traditional perimeter security approach to a casino model of security, with lots more measures taken simultaneously.” “Most large UK banks regularly lose millions to fraud. They have enough resources to deal with that. Compared to them we are still amateurs, yet we produce a million alerts a day and so we need to take a much more targeted approach. As soon as you are hacked, you have to report it. Not many boards understand this.” Are there examples of where the organisation is getting more complex and yet the required security is not increasing at the same rate? Everyone comes to work and assumes their world is inside the office. Users want everything but they don’t want “ to take the “A lot of the time, non-IT people do not realise what they are doing is creating data with corporate value. However, when someone is asked to pay to have the level of resilience they demand, their perceived need for an IT service can drop down their ranking of importance. They will say ‘If it costs £25,000 to protect it, I will not bother.” “In a non-regulated industry, users naturally worry less about data being responsibility. Page 3 lost. As a security specialist, it is about distancing yourself from the IT department. So I report to the Chief Architect who reports to the Chief Operating Officer.” “Our organisations are becoming more and more porous and the reality is that hackers are opportunists, specialised in finding the cracks. There are a lot of hidden costs for each control we need to put in to allow printing and posting.” “ The largest Which areas of the Information Security Portfolio, do you believe need to be kept in-house and thus you should be experts in, and which don’t? part of my business is shareholder management. If you can’t put it in business terms, it will not fly. I make a point of being the Information Security NOT the IT “ Officer security and then outsource once it is fully understood. Where once the ideal split between in-house and external IT security expertise was once 80/20 now it has reached 20/80 and is ‘M&M’ like i.e. hard on the outside, soft on the inside.” “We believe most organisations, who do not ‘do IT for a living’ should go to the Cloud. The first thing I do when I hear about new vulnerability issues like Shellshock or Poodle is to consult the Symantec advisors. As a principle, I would insource everything to do with Do you believe the skills market is keeping pace with Cyber Security Requirements? “They used to say IT Security was educate your users, use decent Antivirus, harden and patch when needed. Nowadays Information Security is facing more and more complex challenges, but you have to make your security as invisible as possible to the end users. [IT Execs] today need to be dynamic because often the business is shifting all around you.” Want to know more? If you are a senior technology professional interested in participating in future events, please contact Sarah Jarvis at Symantec: sarah_jarvis@symantec.com “ There are a lot of services needed out there which are not yet being provided by “ suppliers. Page 4