When organizations consider cyber security, they usually focus most of their attention on technology, partly because that is what the market pushes them towards. In my view, however, 50% of cyber security is cultural, 30% process and just 20% technology.
Cyber security is an arms race and the boards of all organizations need to take it seriously. Frankly, if it isn't one of the key items on a board's risk register, that board is asleep at the wheel. But many of the right responses on culture and process are neither new, nor are they particular to cyber security.
On culture, the insider threat has long been a problem for organizational security. British government posters during the Second World War reminded citizens that 'Careless talk costs lives', with one 1940 Ministry of Information poster also having someone telling a friend 'Don't forget that walls have ears!' in front of wallpaper patterned with Adolf Hitler's face.
But 'careless talk' is now something that millions of people indulge in, assuming that they can share everything through social media. While some may be put off by recent coverage of how their data is used, many people are in the habit of sharing their personal and professional lives online by default.
To help tackle this, organizations need education - not just about cyber threats such as phishing, but more broadly about how you treat any form of information sharing or access. It might not matter if an employee posts a picture of themselves online, but it might matter very much if it includes a screen showing sensitive information or a sticky note with a password. Educating people on this is not just about cyber security but how you treat any form of information sharing or access.
The onus is also on security professionals to consider how employees actually behave rather than how they believe they should. According to the UK's National Cyber Security Centre (NCSC) British citizens have an average of 22 online passwords, far more than most people can realistically remember. So they reuse them, using the same password for an average of four websites1. Many of these passwords will be weak ones, with research based on five million leaked in 2017 suggesting that the favorite choices remain '123456' followed by 'password'2.
Security professionals can help with more user-friendly authentication processes. NCSC backs the use of password management software for individuals, which can generate strong passwords for each service - it is more likely that users can remember a single strong master password than two dozen. For organizations, a single sign-on service provides a similar option. NCSC also discourages organizations from forcing users to change passwords regularly, on the grounds that many people will use a similar weak one as the replacement3.
There are also technology-focused approaches for spotting insider threats, such as behavior analysis, a useful technique that I will discuss in a future article.
On process, it makes sense to integrate security into day-to-day IT operations. Some organizations run separate network operations centers (NOCs) and security operations centers (SOCs). I believe that having a separate NOC and SOC is not only inefficient insofar as it is doubling up in some ways, but it is also ineffective. It is much better to run a single NOC-SOC, both for efficiency but also because this makes security an integral part of the process of running an organization's network.
A combined NOC-SOC can be controversial and many people believe they should be totally separate. As a practitioner, I believe that it's much more sensible to bring them together and this is increasingly happening in the market.
I'm a great believer that 'operate' and 'defend' are two sides of the same coin. Good cyber hygiene is no different from good IT operations hygiene - to take another example, business continuity and disaster recovery plans aren't just a mark of good cyber security but of good IT operational practice.
IT leaders can either take a “defense in depth” approach, where they build an ecosystem that integrates products and layers from multiple vendors, or go with a single provider and accept that they are not going to have best of breed in every area.
Both approaches present benefits and risks, but I recommend defense in depth. In my opinion, there is a wide open market opportunity around the provision of a 'security orchestration bus' that would take the input from the various products and layers, and make that data available to the others through an API to allow true 'plug and play' across the enterprise and throughout the course of business.
None of this takes away from the fact that cyber security is a very real problem and I don't want to take people's eyes off the ball. But I do want people to concentrate on what actually is important - and that means considering culture and process at least as much as technology.
Mike Stone (mailto: Mike.Stone@kpmg.co.uk) is KPMG's Global Head of Technology Transformation for Infrastructure, Government and Healthcare. He served as an officer in the British Army for 28 years and has worked as Chief Digital Information Officer for the UK Ministry of Defence as well as President of Service Design and Chief Information Officer for BT Global Services.
This is the second in a series by Mike Stone on cyber defense in depth.
1Source: UK National Cyber Security Centre, 'Password Guidance: Simplifying Your Approach', January 2016, from https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach
2Source: Fortune, `The 25 Most Common Passwords of 2017 Include 'Star Wars'', December 19, 2017, from http://fortune.com/2017/12/19/the-25-most-used-hackable-passwords-2017-star-wars-freedom/
3Source: UK National Cyber Security Centre, 'What does the NCSC think of password managers?' January 24, 2017 and 'The problems with forcing regular password expiry', from https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers and https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry