iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Logicalis’ chief executive sat down with Cyber Daily recently to talk about the brass tacks of getting your business cyber secure.
From where a business should start its maturity journey to how cyber security can impact and improve innovation, Anthony Woodward is a passionate cyber defender who isn’t afraid to ask a lot of his own questions.
Cyber Daily: Anthony, you believe that a lot of people – a lot of companies – are spending money on the wrong cyber security things, so I am curious: what are the wrong things to spend money on?
Anthony Woodward: Well – it’s probably best summarised as too many things.
What we see quite a bit is … cyber security spending tends to be very point-solution-based. So a problem pops up – how do we solve that?
Vendor Z has a really good play in that space, so let’s put that in place.
Then problem B comes up … Rinse and repeat, and you end up with a flotilla of cyber security solutions that potentially overlap and may not talk to each other; they don’t necessarily integrate, and perhaps there’s a Swiss cheese scenario, where there’s actually a hole that lines up through all of the slices and you are still not covered when you need it to be.
That’s a common refrain when we talk to customers about cyber security. They’re sort of saying costs are going up and we’re not entirely sure what we’re getting for our money in terms of cover. And is it aligned with what we need?
And so we’re really getting them to focus on…
We’ll let’s go back to talking about what’s important to you from a protection perspective – what are the crown jewels?
Where do we start, and when?
When I use terms like crown jewels, that’s very much where we start the conversation. We like to start the conversation with customers rather than them coming to us saying, “hey, we need XYZ platform – can you buy it and run it … Turn it on for us.”
And we say, well, hold on a second. Is that actually the right thing for you? Is that what you need? What are you trying to achieve?
Cyber Daily: So what I’m hearing is that too many companies are being reactive rather than active in the way they treat cyber security.
Anthony Woodward: Yeah – and that probably speaks to your point, people taking a tactical rather than strategic approach to cyber security when really you need to think of strategy.
And we go further and say that if you take a strategic approach to cyber security, it can actually be a business enabler rather than how it’s usually seen, which is kind of like … it puts the brakes on everything.
Cyber Daily: So, in that case, what are the essentials? Once you have established those crown jewels, what are the essential steps after that?
Anthony Woodward: Really, the follow-on from that – or really what the crown jewels process is – part of the exercise is pulling together what your risk appetite is.
I can actually talk a little bit [about] the experience I’ve had on neobanks here because that’s something some of our clients face. As well as sort of saying, “OK, what’s our risk appetite for this scenario?” Now, if you’re a bank and financial data escapes, your risk appetite for that is zero; this cannot happen.
So, in that scenario, then that becomes a very important component that you need to protect and think about how you build a risk framework around that.
But there might be other things in an organisation where, for example, data that’s more than 10 years old.
That’s not a big problem for us, especially if we store it somewhere that’s air-gapped, and I bring that up because we know about some recent scenarios where, you know, the idea that we better keep copies of everything forever actually starts to become a problem.
Cyber Daily: The number of times I’ve seen old driver’s licenses and passports that companies have but really should not be holding onto…
Anthony Woodward: Exactly!
So the start of the process is really thinking about that and saying, “Well, what data do we actually hold? Do we need to hold it? How long do we need to hold it? What does it mean to us as a business? Can we dispose of some of it? What’s the regulatory framework around that?”
And there’s a lot of uncertainty around that because some regulations conflict with each other. For example, you know there’s the seven-year rule, or where you might be asked to dispose of everything as soon as somebody asks you to.
Under GDPR, that’s its own challenge, especially if it’s tangled up in backup somewhere – are you sure you can fish it out and delete it?
So, if you go through that process … We’ve coined something that we call adaptive asset protection, and the assets come down to the people, the information, and the brand that you want to protect at the centre of your risk framework.
So the people, obviously, is … Can they get to the information that they need in the mode of work that they want to engage with, and in the hybrid world, what we’ve seen come up – and it’s actually probably the second-biggest concern for CISOs – is this idea that the perimeter of my operating environment is much more fluid now because people are working remotely.
So I don’t know where the edge of my network is – it could be anywhere on Earth. How do I protect that?
But I still want to make sure that my people can get to the systems and the information they need to do their work and still provide them with a flexible working environment.
So there’s those sorts of components.
And then there’s the brand you have – what would happen if such and such were to occur? What would that do to our brand? What would that do to our reputation?
How important is that to us if we’re a consumer-facing brand that sort of banks on or leans on trust, and reliability is one of its core attributes? Then, a data leak is a major problem.
If we’re a behind-the-scenes B2B provider, it might be a much smaller system of customers that we need to be thinking about. And yeah, the flow-on effects could be significant for some of those customers.
But you know what? What we need to protect is how we’re interacting with those guys, and maybe what are our third parties that we deal with, what’s their position on security? If you think about what happens in the regulatory environments now when they’re talking about security, they say, “Oh, and by the way, these security standards extend into your supplier network as well.”
So, the suppliers that you take on need to also be compliant, or you need to satisfy yourself that you can make them compliant with your own security standards. Sorry.
Cyber Daily: You really need a whole robust audit process for not just your own internal networks and the various endpoints of that, which could be in your head office, which could be somewhere out in the western suburbs depending on where people are, but also any third parties in your sphere of business.
Anthony Woodward: Yeah – one concern around security at the moment is legacy systems and processes, and it’s a bit of a sleeper because if you have a really arcane process for dealing with some piece of critical information for your customers, then that could be subject to some security risks you hadn’t thought of, like, we have to fax XYZ to somewhere.
Well, where did you actually fax it to? And who’s reading that now, and what did they do with that fax once they got it? So those sorts of things need to go into the mix.
And this is all before we’ve implemented anything or even written the first line of a policy.
We’re still at the point of understanding the risk landscape that we’re operating within as a business, and from business to business, that will be different.
Cyber Daily: You’ve also said – or Logicalis has also talked a lot about this – about how security can be a hindrance to innovation or it can be a positive. I’m guessing it’s along the lines of something like ... too much security slows things down?
Anthony Woodward: It’s kind of that, but it’s not so much too much security because, I mean, there’s certainly plenty of people who could argue that you can’t have too much security. And I think that’s an argument that you can always have.
It’s probably the nature of … What does it cost to implement what you have built as your security process? And a good example is a customer prospect we spoke to in the insurance industry.
They have a digital innovation capability, as many of the insurers do, but they were asked by their compliance team to slow down their rate of release of innovation because every compliance cycle carries a certain cost and they only had budget for X number of compliance cycles in a year. So they were sort of saying, “OK, by month three, you’ve burned your year’s worth of compliance costs – see you next year.”
You can’t do that. You can’t stop innovation because the compliance cost is too heavy.
So you need to rethink, well, how are we implementing this compliance review of our innovation cycle? Can we maybe embed it in the innovation cycle? And that’s when you start to think about things like from a process perspective, things like DevSecOps and the machinery and tooling that goes into supporting that.
What we’re saying is if you think of it that way, then you could be in a situation of saying, “OK, we’ve got a competitor that we want to beat to market with X, and because we have security embedded into our innovation cycle, we can be more confident that we can come out with releases actually more frequently than potentially a competitor.”
That’s when it becomes a business enabler.
Cyber Daily: So, security first, in a nutshell.
Anthony Woodward: Correct.
Cyber Daily: I’m going to end with a question that I ask everyone because the answers are always fascinating – when it comes to security, what keeps you up at night?
Anthony Woodward: Uh, yeah, it’s an interesting one, isn’t it?
Yeah, I’ll reflect it back to a report from a customer perspective first, and then I’ll give you mine.
What I’ve been surprised about is that, if you looked back, say, two or three years ago, the focus was very much on education and the end user. I’m gonna say culpability, but that’s not quite the right term.
You know, somebody clicked on the wrong thing and the whole house came tumbling down.
The idea back then seemed to be that if I trained my people well and they never clicked on anything bad, then I was 99 per cent of the way there. And what’s changed in that environment, I think, is the fact that it is gonna happen – so what have you built to make yourself more resilient to that?
I even see it in the changes of training material, where it used to be all the things not to do so that you don’t set off a security incident. Now, included in that training is what to do when it does happen. These are the steps you should take immediately because if you act quickly, we can still contain this stuff.
So why I’m bringing all that up is that the malware and the things that people could be sent that could damage their systems and your systems as a risk profile is dropping in some of the survey results that we’re seeing. It’s becoming less of an issue.
What’s probably becoming more of an issue is when you actually combine the security landscape with the AI landscape because the sophistication of what can be put in front of people from a social engineering perspective is going up at an exponential rate. From my perspective, that’s probably pretty scary because we like to think of ourselves as being able to pick the dodgy, poorly written spam messages that are meant to make you click on something.
But if it’s written almost exactly the same way as someone you converse with every day, would you be able to pick it?
That’s pretty scary, right?
Cyber Daily: No argument here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
