Glasgow was bathed in sunshine as I, and several thousand others headed into the darkened auditorium at the Scottish Exhibition Campus for two days in April for CYBER UK.
Reflecting on the talks, discussion and presentations over those two days, the call for change has never been clearer. As highlighted in the speech from security minister Dan Jarvis, and the opening keynote from NCSC Chief Executive Richard Horne we need to pick up the pace. We need to start moving at the speed of machines, not bureaucracy. And this call for change needs to pervade every aspect of an organisation, from the Board directors to the cleaning staff.
The auditorium’s pumping music and bright lights all worked to galvanize peoples’ intentions; but back at our desks, will this change happen, and how can CIISec pledge to help?
Radical transparency
One call to action was to share more. There is no doubt we can all learn lessons if people openly share their experiences, near misses, and if organisations are more transparent. There is also a case for sharing best practices to lift each other up. The more experienced helping the smaller, less experienced organisations. Bolstering an ethos of one community working to a common goal. CYBER UK did provide an opportunity for some sharing: with powerful testimony from a CISO recalling the aftermath of their cyber breach. But it is not organisations that do the sharing, it’s people. And people only share when they are in a trusted environment. What can we do to facilitate that sharing? CIISec’s Fellowship aims to offer that environment or platform on which we can build trust. We will endeavour to offer our Fellows greater opportunities to share, collaborate, and join forces; but also to offer each other challenge as well as support.
Thinking laterally
Organisations need to embrace lateral thinking, moving away from the dangers of group think. How often do we avoid working with people who constantly challenge us and question our decisions? Yet it is outside the echo chamber that the best decisions and solutions can be made and found. Cyber security specialists don’t have all the cyber security answers, and why should they? We need to be open to inviting other departments to offer solutions. People who think very differently from us, who come at the problem in a new way, will often reframe it and thereby provide solutions. What’s stopping us from involving others, cyber resilience is everyone’s responsibility after all? CIISec’s Headstart course, available freely to Corporate Members offers non-technical staff a cyber and information security grounding. Giving them the basics and understanding on which to help build solutions when asked.
Opening our eyes
Almost every organisation has faced periods of underinvestment and deals with legacy systems. The latest AI tool may be effective at pointing out our vulnerabilities, but are they vulnerabilities we already know about? We cannot turn our back on good cyber hygiene; it takes good and thorough cyber hygiene to fix things, not the latest shiny tool. And good hygiene is a cultural solution, not a technical one. CYBER UK taught us about “willful blindness” and how 85% of people in organisations don’t voice their concerns or ideas out of a feeling of fear or futility. We must embrace a just culture, empowering anyone in an organisation who sees something wrong to report it. The CIISec Skills Framework v4 was released this month with a new skill area of Human Centric Security, acknowledging the powerful role people play in cyber resilience. ‘People Powered – Resilience Built on Human Insight’ is the theme of our annual conference CIISec LIVE this year; acknowledging the irreplaceable role humans play in defending us from threats.
Institutional memory loss
A powerful presentation made the point that as a country we are not planning for the long-term. The five-year term of governments has created a system of short-term incentives and short-term planning. People’s careers are squiggly, we move around far more regularly than ever before; so the institutional memory that used to exist in most places is being eroded. Have we, as one speaker suggested, ceded the responsibility of national cyber security to CISOs in commercial organisations? Whether that is true or not, when it comes to problem solving, we’re falling into the trap of being reactive, rather than proactive, by not thinking far enough ahead. By depending on government, and others to solve our problems, is our ability to think critically being eroded? There is a limit to the change any government can make, and it is incumbent on us all – and CIISec – to talk loudly about the realities we face, and enable and support the rest of society to find a response.
