Awareness of cyber crime has never been higher. MOD DCB features writer Paul Elliott spoke to Admiral Patrick M Walsh, Senior Vice President of iSight Partners and General Manager of iSight Partners’ ThreatSpace business unit, about what businesses are doing to better protect themselves from cyber crime.
When you speak to experts in cyber security they will tell you that businesses assume they have more capability than they actually have. Many don’t have a clear assessment of their capability in response to an actual cyber breach. Typically a lot of assumptions are made and people tend to rally behind technology rather than take a proactive role. The reality is that when cyber attacks start against a company the ability to decipher what is happening, and see the malicious nature of the attacker, is often much more limited than many realise. Proactivity is a key word in this conversation and businesses are now beginning to take more proactive steps to becoming more cyber secure.
Highly decorated during his 34 years of service, Patrick M Walsh is a former United States Navy four-star Admiral now working to deliver specialised cyber training to large-scale and joint cyber security response operations. Mr Walsh is a strong advocate of proactivity in cyber security, and believes that this approach has to emanate from the very top within businesses, and starts with culture.
Mr Walsh explained: “It begins with having a culture that’s willing to accept an honest appraisal. Initially what we found was that if companies are willing to create a climate where their employees can come forward and say they have made a mistake, and those employees don’t feel like their jobs are threatened, then there’s an opportunity to progress.
“We saw this in US aviation. The aviation safety record didn’t improve until the people who were operating that aviation equipment, and who had such great levels of responsibility, felt comfortable about coming forward to identify their own shortfalls, their company’s shortfalls, as well as the shortfalls in the Federal Aviation Administration.
“Once we created an environment like that it became exponentially safer to operate. What we’re finding in cyber is that when the Chief Information Security Officer creates a climate for their teams to come forward and say ‘we didn’t see it’, or ‘we didn’t take the right steps’, or ‘the steps we took weren’t effective because we didn’t take into account other aspects of the threat’, then we have big growth and learning opportunities.”
For Mr Walsh, and many others, progress requires key leadership within the board of directors. He says that prior to the big security breaches visible in the media over the last three or four years, the idea of investing prior to a breach was seen as a gamble. Companies were willing to live with the risks. These days accountability within business now requires smart investments in cyber, with boards of directors taking a role in these investments so that they can be prepared and accountable to shareholders, as well as to the general public. Cyber posture has to come from the top of organisations because increasingly the public demands accountability in this area.
Mr Walsh said: “I think there’s recognition that in the private sector we have to rationalise where we put our time, people and resources – it’s really a function of adopting a risk model. And as you assess risk and where the best place is to put resources, I think knowing more precisely where to invest has to do with knowing who’s coming after you and what their motivations are.
“We’re at the tip of the iceberg compared to what’s coming as we develop the Internet of Things and increasingly become more connected in the information economy. We can’t just rely on the old approach to the way that we deal with security, especially cyber security.”
The cyber threat is constantly evolving and this is vital to the debate. Law enforcement agencies and experts the world over have been clear in the public domain that there’s real concern about the confidence of investors and customers being damaged in a way that would heavily challenge some of the financial institutions. It’s critical to keep up with cyber developments as the stakes are high.
Mr Walsh continued: “We see the threat continuing to evolve, not staying still, and simply moving too quickly to just keep up with patches and passwords. This is something that will require much more disciplined thinking and a structured approach as we move into the future.
“They say ‘the front line has now moved to your laptop,’ and I think this analogy is close to the truth. If you were going to put on a uniform, get on a boat, and go over the horizon to deal with a potential adversary there would be a lot of elaborate preparation you’d do in order to manage risk – knowing full well that you couldn’t reduce risk completely. At the same time you’d do everything that you could with the investments that you had available to you to be ready for an environment that frankly was going to be unpredictable.
“We have to adopt a very similar sort of mindset for cyber, and that’s how I arrive at the use of the word ‘readiness’ because I think that assessing the overall readiness of an organisation today means the ability not to deal with yesterday’s threat, but to deal with the changing threat landscape.”
More and more we’re seeing opportunities for businesses to take part in cyber attack simulations. For iSight, Mr Walsh works on a service where companies are put through crisis simulation scenarios. The aim is to create an environment that gives network teams the opportunity to work ‘horizontally’ across the whole organisation. This is very important as part of a cyber security strategy as typically inside the ‘network culture’ individuals rarely have a chance to work together as a team. So the ability to focus efforts and leverage the intellectual wealth that’s part of a network team really comes with an opportunity like simulation scenarios, rather than waiting for an actual breach and assuming everybody knows their roles. Mr Walsh stress it is important that everybody understands their crisis response plan because when put to the test the real investments that companies need to make are found to be in their people, as well as keeping up with their product line, to make sure that they do not just rely on a historical view of what threat is, assuming that what works now is going to work into the future.
Mr Walsh commented: “What we are seeing in industry is companies are increasingly dissatisfied with the responses they are coming up with internally to breaches, and they are demanding a different way of approaching responses to the threat environment, meaning they want to work more horizontally across the technical teams.
“Increasingly what we find when given the chance to conduct those sorts of crisis simulations is that corporate leadership has to be involved as well. Typically what we see is that technical decisions made by the technical team are technically correct, but they don’t take into account business impact. What companies are increasingly asking for is a more business-savvy network team that understands the consequences of shutting down services if that’s the course of action they take.
“They have to understand how to communicate a picture to the corporate leadership so that they can exercise an independent judgement. That ability to communicate is something that’s been assumed in the past but as we step through some of these simulations we realise that there’s more work to be done. So the level of preparation across the technical team, as well as the level of communication and the exercise of judgement on the corporate leadership side, is where we see the biggest developments taking place.”
The ability to anticipate is where good leadership earns its money. Harnessing the ability to understand more precisely the motivations of those who are attacking, the ability to anticipate what the next steps and the consequences will be, and the associated communications that have to go to the CEO level as well as to shareholders, is the direction industry is trying to move towards, according to Mr Walsh.
Preparation is vital – so the idea of having a very rigorous rehearsal opportunity, and staying abreast of the key lessons learned, is something more and more businesses should, and undoubtedly will, invest in. This all needs to take place as part of a boardroom-led culture shift to prepare more proactively for cyber attacks, which can only make industry more resilient.
For more information, visit: www.isightpartners.com