On the 25 August Xcina Consulting hosted the second in the series of Breakfast Briefings at the City of London Club.
It was a great pleasure to have Marcus Willett, the former Deputy Head of GCHQ, deliver the Keynote Speech on “War and Ransomware – More Cyber Instability” and our distinguished panel comprising Tamlynn Deacon – at Hottinger Bruel & Kjaer, Daniel Pass – CTO at Perenna Bank and Rob Janssens at ParkNow.
Insights into UK and US thinking surrounding the Ukraine war, cyber incidents and the growth of state operated attacks offered us a chilling start to the session.
The in-depth subject knowledge gave us a very strategic view and offered a lively discussion as we came to terms with topics and terms such as Cyber 9/11 and Cyber Pearl Harbour!!
Some of the discussions are captured in recent articles and analysis at the pages below:
What are the biggest cybersecurity threats and challenges right now for your organisation?
Increasing threats from ransomware, the sophistication of attacks and multitude of attack vectors were mentioned. So were the unpredictability of attacks and opportunities arising from significant changes in technology environments and the susceptibility of staff.
Ensuring that staff receive appropriate training as they are in the front line for a business and the single point of failure is absolutely key.
How do you align the firm’s risk appetite with information security posture and how do you communicate this to the Board?
Measuring the firm’s risk appetite and alignment to information security posture is difficult but can be done with various widely accepted frameworks. The key though is ensuring that the right questions are raised with the Board to determine the relevant and relative importance of their specific risks.
Does an in-depth board level understanding of Information Security and Cyber threats help or hinder?
This can helpful, but most importantly, that they understand their risk appetite and what this means for the business.
Mitigation of the unacceptable risks is where we must help a board through our role and job function. Board members need to be aware of key cyber risks, however the quality of discussions is still not quite what it should be due to limited knowledge and expertise. Cyber experts need to build trust and credibility with boards and present information in ways that more easily communicate the impact on the organisation’s strategic objective. Better awareness of the risks will unlock more resources for the security teams.
How important are Information Security certifications, such ISO 27001?
Across the panel, all felt that whilst they were an important asset, but they only were of value if the business embraced the spirit of the requirements instead of adopting a tick-box approach. Certifications as a badge are probably a waste of money if not used correctly, however they provide useful benchmarks and targets for organisations in their implementations of security frameworks. Certifications are also useful for demonstrating the adoption of minimum standards to stakeholders including customers or procurement teams.
Is the Insurance industry really on top of Cyber Crime?
Marcus offered an emphatic NO, as it was a serious issue given the scale of the problem and the companies not wishing to share the information on Ransomware attacks or other cyber breaches due to perceived reputational impact. Although the incentive for cheaper insurance from more effective controls is there, the complexity of cybercrime including issues such as lack of data, jurisdiction, legislation, variety of accepted frameworks and no standard approach makes this difficult.
Are we doing enough to punish cyber crime?
Both UK and US agencies have great difficulty in prosecuting due to location. Cybercrime and the people undertaking it are actively being sought by some countries, but there is no common framework for cooperating across jurisdictions to identify, apprehend and prosecute cyber criminals. Only a handful of countries collaborate in this regard, and although there have been suggestions for global legal frameworks to deal with this, it will be some time before there is enough consensus to get this done. Additionally law enforcement agents in most but a few countries lack the expertise to successfully investigate and prosecute cyber crimes.
Given the exposed nature of your role, how do you manage the businesses need to remain safe versus your own personal responsibility for health and well being?
All the panel members offered their own thoughts surrounding a work/life balance, especially given the highly stressful nature of individuals’ roles, the importance of good planning and in turn a capability to have healthy separation.
Balancing the requirements of the organisation with the welfare of staff is a tricky process but one that must be constantly navigated. There is no one size fits all here, just different approaches specific to individuals and organisations.
Our thanks to everyone who came and especially to the panel who provided very insightful views of the questions posed to them. Thank you for your support and making it a great session.
If you missed any of our earlier events, further details are available here. To participate in our future discussions, stay up to date as we announce new dates and address wider topics by emailing us at firstname.lastname@example.org, or join our events guest list.