Detection is not enough for today’s complex cyber threats


Posted on: June 2, 2015 by Sandy Forrest

When some 500 years ago, Leonardo Da Vinci wrote –‘realize that everything connects to everything else’, he was probably making some sort of metaphysical point; but increasingly today, in the digital world it is almost becoming a statement of fact.

A connected world challenges security

As we strive for greater efficiencies and to exploit advances in technology, often this involves expanding the range of our ‘connectivity’  – adding new customers, new suppliers, data feeds for Big Data Analytics, using social media; changing the way we obtain IT capability, with commodity pricing, cloud services and striving for ‘digital transformation’.  We want mobility in our working lives and we want to bring our own devices to work. What is all that doing to the inherent security of the information systems we already had?

There is a need for a holistic approach to cyber security, and an understanding that almost any change requires us to think about what collateral implications that might have for the entire infrastructure. We need to plan, monitor, respond and recover from whatever the connected world throws at us - protecting not just the information systems, but the business processes it underpins.

But we have been there before – in the 1970s and 80s when architects were designing buildings, housing estates and whole communities that were beautiful to look at but inherently flawed as a secure environment to live or to work in – leading to the development of the concepts of ‘Secure by Design’ and the crucial role people must play in making security effective, which now determine the balance between aesthetics and security.  We should consider what lessons can be learned from that process.

Information Security is a critical business enabler

Information Security should be viewed as a critical business enabler, bringing clear value and benefits, rather than an overhead to be tolerated.  It must be appropriately targeted to manage risk effectively, allowing you to understand and manage the residual risks. It is not how much you invest but how well you invest it.

Of course, there will always be a very small percentage of threats that organisations are not able to protect their businesses against, as the cost to do so would be extraordinarily high. Therefore, they must strike a balance to ensure they’re making investment in the right areas of security to remain in control of the business without breaking the bank.

New market opportunities, new ways of working and new risks

The digital era is something of a double-edged sword: there is a constant dynamic between new market opportunities, new ways of working and new risks that emerge as a consequence. Together, those opportunities and the evolving risk landscape need to be managed to give a complete overview of the business operations. If we introduce new ways of working then we also need to have a good understanding of the potential new risks we are opening ourselves up to. By doing this, we can take steps to mitigate against it.

Security policies aligned to new situations

So organisations are required to constantly adapt to these new situations – to maintain a competitive advantage but also, to answer to the regulators. Understanding what the regulatory landscape means from a security perspective enables enterprises to prove that their businesses are taking the correct measures, building trust with their customers in return.  Ensuring their Information Security policies always stay aligned with the new situations will enable them to harvest all the benefits of the digital era and run their businesses much more effectively.

 

Share this blog article


About Sandy Forrest

Client Executive Cybersecurity
Sandy Forrest is the Client Executive responsible for coordinating end-to-end cyber security capability (advice, services and products) across Atos UK and Ireland. For the preceding seven years, he oversaw the delivery of IT Services to the UK’s National Security and Intelligence organisations, and for the London 2012 Olympics was the liaison between Atos (as IT Partner for the Games), the Intelligence Agencies and the Olympic Security Directorate. He served on the UK Government’s Olympic Cyber Security Advisory Group and sat on the Mayor of London’s Cyber Security Advisory Panel. Before joining Atos, Sandy set up and ran the overarching healthcare regulator, the Council for Healthcare Regulatory Excellence (now subsumed into the Professional Standards Authority for health and social care) and was CEO of NHS 24. Prior to that, he was a Chief Police Officer in Scotland, latterly a Deputy Chief Constable in the role of HM Assistant Inspector of Constabulary

Follow or contact Sandy