Collaboration is the key to countering IoT security concerns
- Summary:
- In part two of a pair of articles on what cyber-threats are likely to look like within the space of only a couple of years, experts discuss how these challenges can best be addressed, with the key watchword here being “collaboration”.
So in order to address the worrying shifts laid out in its Threat Horizon 2019 report, the Information Security Forum recommends that enterprises make the easy-to-say and difficult-to-implement move to a more “collaborative culture”. As Steve Durbin, the body’s managing director, recommends:
Moving forward, organisations must prepare themselves for unprecedented levels of collaboration. Legal, compliance, audit, HR, IT information security and other stakeholders must congregate to assess risks and inform the decision-making process. This collaboration should be extended to partners, manufacturers, vendors and regulators to ensure information security requirements are met.
While some enterprises do already collaborate with third parties through industry bodies, particularly in matters relating to critical national infrastructure, trust is always a big issue as is having the time and resources to do so. But even internally, collaboration between functions is often easier said than done. First Base’s Wood explains:
Going back 10 years, IT, HR and facilities management never talked to each other so someone could easily pretend to be a contractor, walk into the building plug in a laptop and download lots of company information. And that kind of social engineering still works today as there’s no harmony or day-to-day discussion between them, which means criminals can work in the gaps.
Even though the ISO 27001 information security standard, which advocates creating cross-departmental forums to assess and manage organisational risks, has been around for about 20 years, all too few enterprises have taken this kind of approach to date. But Sanjeev Shukla, managing director of Accenture Security, explains the benefits of going down this route:
Internal collaboration is definitely needed. For example, if someone registers a domain name that uses your organisation’s identity, the first department to know would probably be branding or legal as they’re likely to subscribe to a monitoring service. So if they sent an email to the security guys telling them about it and warning that the domain name might be used in a phishing attack, the security guys would be ready. But it doesn’t usually happen like that.
Cross-functional collaboration
Although the most mature sector by far in collaboration terms is financial services, and especially the global banks, utilities and energy providers are also not too far behind, he says.
But unfortunately the idea of different departments working together for the greater good simply does not occur to many enterprises in other sectors. Even if it does, internal corporate politics often plays a big role in torpedoing such efforts, particularly if individuals become protective of their own interests and are put in a position of having to compete with other departments for budget and resources.
As a result, action tends to happen when an incident takes place either within the organisation itself or at one of its rivals, prompting internal soul searching at board level. Change is also sometimes sparked by internal transformation projects.
But whatever the impetus, top leaders mandating new ways of working, which includes collaborating on risk management, is always the most effective means of getting things moving. Actively incentivising executives to work together is also a useful tack as is allocating new resources to such activities.
The first step for the IT or security department to take, however, is to conduct scenario planning-based risk assessment, according to First Base’s Wood. This activity involves building stories that demonstrate what the cyber-threats look like in real-world terms and what their impact is likely to be on the business. This information can then be used as a starting point to work with other risk managers in areas such as brand risk and physical security risk as well as with functional functions including HR and finance. But Wood warns:
The skills to be able to do a proper risk assessment without overcomplicating it are rare and being pragmatic without compromising the quality of the work is hard. Some people are super-skilled at doing the risk assessment itself, but are really boring presenters, while others don’t know how to extract information from detail and so can’t engage people.
Sustainable collaboration
But being able to communicate often difficult technical concepts in business language rather than security jargon is crucial to success. Just as important is finding someone able to facilitate discussion among the various stakeholders. Wood explains:
It’s about guiding people to talk about things like who’s likely to attack us, why they would be motivated to do it and what methods they usually use. For example, the National Gallery’s biggest threat is activist groups hating the fact they’re sponsored by oil companies, which means they throw paint on the floor. But how could that be translated into a cyber-threat?
The workshops will need to be led by an expert in risk principles, but the focus should be less on cyber-risk per se, although that is a useful starting point, and more on the wider risks to the business. Wood says:
Workshop leaders need to know how to get answers, lead the group without it going off at tangents and be able to summarise things at the end in order to come up with ways of taking things forward. A lot can be learned from a few workshops. It’s about winning hearts and minds.
After the initial kick-off sessions, regular monthly meetings, which include an annual risk analysis activity, also need to take place if it is to become sustainable rather than a one-off exercise. So for example, if one of the workshop outcomes was to test possible threat scenarios, this activity should be carried out and the results discussed at the following meeting in order to understand what went well or badly and what lessons were learned.
The findings could then be used to start producing a roadmap of possible improvements such as introducing training, process changes, or a specific cross-departmental project because as Wood concludes:
You can then kick off a new exercise based on the last to create a rolling snowball of activity.
My take
Collaboration may be easier said than done, but in a world of increasingly sophisticated organisational cyber-threats, it is crucial to look at the risks to the business, where they are coming from and their potential impact, in the round rather than from the perspective of departmental silos. This means that, in future, tackling cyber-security issues effectively will be less about shiny, new things with lights and more about facilitating cultural change – no matter how uncomfortable that feels for everyone.