Deloitte Sym - Cyber Security Executive Insights
Transcription
Deloitte Sym - Cyber Security Executive Insights
Cyber Intelligence The Deloitte Symantec Executive Dining Club Critical security matters The Deloitte Symantec Executive Dining Club brings together the leading users and thinkers in Cyber Security at private dining events where participants can speak openly and in-depth about their Cyber challenges and the latest ways to address them. The latest event took place in Winter 2015 in Central London. Facilitated by Paul Maher MBA Peter Lawrence The Tasting Menu Neil Sparrow Centrica 1. The Energy sector faces challenges like no other Paul Jenkinson A close-knit group, this highly competi- 3. Security professionals are focusing on doing fewer things right tive sector stands to gain more than Thanks to lengthy investment cycles and most from the sharing of threat intelli- the sheer size of the infrastructure, as gence and best practices. With energy well as regulatory and CNI consider- prices falling, IT security budgets, need ations, IT security professionals in this to be spent wisely. sector are under pressure to deliver. 2. Defending Critical National Infrastructure (CNI) is harder than ever 4. The IT security of this sector affects all of us Evidence of the tumbling costs of the security remains a focus, with organisa- hackers’ ‘tools of their trade’ is only tions using the latest communication increasing the challenge of securing CNI. techniques to deliver key messages. EDF UK Power Networks Joe Howard DECC Jeremy Wood Deloitte Rhiannon Jones Deloitte Antony Price Symantec Educating co-workers on information Additionally broader public debate will be needed as smart meters roll out. The discussion was framed around four areas “ If a retailer goes down, their business is affected. If we go down, there may well be lives at ” stake. Contact Sarah Jarvis Alliances Marketing Manager, Symantec 0203 637 0644 Sarah_javis@symantec.com • The relationship between Regulators and those in charge of the UK’s Critical National Infrastructure (CNI) • The effects on IT security budgets of falling energy prices • The rise of hacktivism in the sector • How customer data privacy and smart meters are changing the role of IT security professionals The Main Course How does regulation affect Critical National Infrastructure? “The information sharing in this sector is other. In particular the Cyber-Security really important, specifically, the latest Information Sharing Partnership is very threat intelligence. Even though we useful for us.” compete commercially, we should share more good practices around IT security more often.” “Trust becomes an IT security “There is good practice and then there is compliance – they are different. Regulators need to be careful about layering “We agree that information sharing is a more and more compliance on organisa- strength of the sector. We see industry tions. Refreshing good practices on the and government partnership here like no other hand, needs to be done more often.” Have falling revenues affected your IT security budgets? issue with real “Certain budgets have been trimmed by budgets, which includes IT security, are competitive up to 30% as energy prices have targeted - not ideal if you want to stay dropped. This would suggest a good way secure.” consequences. forward is to use a risk-based approach, What the UK to funnel IT security budget where it can really needs is to work best.” “We work off a regulatory driven investment cycle, for which we need to have our plans approved by regulators. They will “We have seen evidence of hacker toolkits set out our settlements and set quotas available in the dark web for as little as and we manage to them. Clearly this is debate on what $10. When used in combination with fixed outside short-term oil price move- is and what is social media, this creates the most easily ments. If the threat landscape changes accessed malicious open source intelli- we can and we will adjust. However, gence network ever. Faced with very compared to three years ago, our cyber well-funded and determined attackers, IT security budget is 70% of what it was.” air a rational not, personal ” data. security budgets should be going up, not down.” “Our issue is that we are dealing with technology which has a 30 to 40 year life “Coming into the sector, many people, span. We are dealing with systems which don’t realise how little of our cost base is were designed to be kept internal forever, variable. When you add up government not exposed to the Internet. This is levies on social and green taxes, there is seldom the case today which means we less cost reduction to go after. So our IT are managing two sets of technology with different cyber security issues.” Hacktivism “If a retailer goes down, their business is “Our board is relatively switched on to affected. If we go down, there may well be Cyber issues. They know for instance that lives at stake. We, at least today, have the a DDoS (distributed denial-of-service) manual control option. For me, though attack may well be just a distraction and there is a lot more on the transformation part of a more worrying advanced threat. agenda. To transform the energy sector, We recently ran three scenarios as part of we need to have all the data in one place.” our crisis management preparation and they performed well.” “The threat moves on quickly. Hackers people who have already won the trust of once used instant messaging via ICQ and the hackers embedded in the environ- IRC. They are no longer there. Now to ment. This can mean 24 hour monitoring combat hacktivism, you have to have and listening.” How will customer data privacy evolve with smart metering? “Faced with very “The rollout of 60 million smart meter tell me, I am at home at a specific time, devices brings into scope IT security [perhaps using hacked smart meter data] issues like endpoint security. This is a big you can identify me. This is not always shift for a sector which has been so true, especially in older and multi- focused on control. Segregation of tenanted properties, but even so, there systems can help keep them secure. are easier ways for criminals to gain this Ultimately though someone will hack a information such as, most obviously, smart meter, because anything which is social media.” coded by man can be hacked. So it becomes the network conduit which “If we can’t be trusted to be secure, we will lose customers. So customer trust well-funded and needs to be secure.” determined “We’ve seen deep concerns in other EU competitive consequences. What the UK attackers, IT counties like Holland and Germany. The really needs is to air a rational debate on greater privacy argument is “If you can what is and what is not, personal data.” security budgets should be going ” up, not down. becomes an IT security issue with real How will the role of IT security professionals change? “We are trying every day to get our “I don’t just focus on what is hitting my employees to recognise that security is organisation. As a security professional, everyone’s job. The weakest link is always you need to concentrate on what’s the people, which is why education is high-value. What are worth focusing on such a quick win.” are the ‘knock on’ effects from board “Training is the most cost-effective thing you can do. The ‘At home’ section on our security intranet is the most viewed. Parents who are concerned at home about what their children are accessing decisions. This is what I need to own and manage. For me, it is all about the pressures of retaining talent. My team is constantly being targeted and tempted to move for another £15 to £20k a year.” are very good learners. In the past, “What have we done better this year than security guys did all our cyber training. last? Awareness, even more so than This was thorough, but not compelling, reaction. We are preparing procedure and nor effective. Now we employ communi- responses based on an accurate assess- cations professionals and it is slick, ment of the appropriate levels of risk for relevant and professional.” us to accept.” Want to know more? If you are a senior technology professional interested in participating in future events, please contact Sarah Jarvis at Symantec: sarah_jarvis@symantec.com