By Charles White
I've been fortunate enough to have attended most of the briefings provided by the Foreign and Commonwealth Office, Department for Business Innovation and Skills and the Security Service on keeping the UK safe in cyber space.
What has been stark in all these presentations is that the government actually feels the need to bring UK Plc. up sharp – not only reminding businesses that the cybersecurity threat is a real and present danger, but for the most part trying to actually persuade them. Of course, the government’s main driver comes from the fact that the UK has one of the largest concentrations of e-commerce in the world and a regulatory framework that is comparatively business friendly. So to this extent, they need to make sure UK Plc. is safe place to do business – and that means being cyber aware.
The UK’s internet-related market is apparently worth £82 billion a year. Businesses are overwhelmingly concerned with protecting their assets – such as property, equipment and people. However, protecting the intangible asset of information brought forth by the openness, interconnectivity and overwhelming profitability of the Digital Age still seems to be a red herring among business. They don’t know quite how to go about addressing the issue – is it the IT Department’s responsibility? To what extent should PR get involved if there’s a breach? Do we need behavioural change psychologist’s advice to make our people more secure? What about HR for cyber awareness training? How security aware is our website design agency? How do we overcome the barrier presented by vastly diverging generational attitudes to privacy and the internet?…Oh if only all this Information Security stuff could be relegated to the data centre!
I’m being facetious of course, because I would argue that Information Security is a discipline that has wider reaching implications than IT. If IT is Pandora’s Box, Information Security has the potential to be the evil that escapes from it…unless businesses understand and address the complexity of security. It order to be effective, it must straddle a number of business departments, whilst also receiving significant and regular attention of the Board.
Whilst most major businesses have security programmes in place, the vast majority are in flight as IT projects. Here's the rub – Information Security is more aligned to transition and behavioural change than it is to malware and phishing, so one has to ask WHY does Information Security always become an IT issue?
Answer: Because sadly we all choose to present it as such – the mere mention of an anti-virus, a firewall or hacking and the issue is presented to the IT Director to look into.
However, Information Security is now a subject gaining traction among the media and individuals. There is rarely a day I look at the BBC’s tech news online and do not find a story about privacy, cyber or hacking. Microsoft launched it’s ‘Your Privacy is Our Priority’ TV advertising campaign only a matter of months back, emphasising how the company tries to protect online users from having their private information released online. They are a company that without a doubt understands its market and its concerns.
Information Security services do have some expert technology to deploy, but we also have to change hearts and minds within the organisation in order that employees question, who are you without a pass? And why is that man sat in the meeting room plugging into the network? Or decide, no I won't click on an email with a suspicious link …and so the sound advice goes on. We have to identify the threats before we can apply an effective solution.
The Cabinet Office has recently written the Cyber Risk Management – a Board Level Responsibility. This document lays out some simple questions for senior executives and the great thing is, not a mention of IT but a clear focus on business assets. My advice is to table this document for the next board meeting and see if the IT security project can’t become a transformation programme, as opposed to a tick in an IT box.
Charles White is IRM's chief executive officer, and founded the company alongside David Cazalet in 1998. He has successfully guided the company from its early days as a small consultancy into an innovative and dominant leader within the information security industry. White’s primary expertise lies in corporate strategy, client relationships and risk management. By acquiring GRC software company Onformonics Europe Limited, he underpinned IRM’s comprehensive portfolio of technical assurance, security management and risk assessment services with software products designed to implement long-term best security practice.