29 June 2012 by Andrew Wadsworth
Security Themes from Chairing a Conference to MI5
Just back from chairing the CISO Intelligence Forum: Energy conference in London which covered a wide range of hot topics around security in the Energy industry. Along with a rare public speech in London by Jonathan Evans, Director General of the (British) Security Services, (read his full speech here) there are a few threads I see coming together.
As Mr Evans said “The front line in cyber security is as much in business as it is in government.” In most countries the vast majority of critical infrastructure is actually owned and operated by private companies who are responsible for its security, although that is of national interest. This leads us into the debate of how much, if at all, governments should regulate in this area. This theme came up several times at the conference. The consensus of opinion was that regulation is inevitable at some point. Regulation that sets objectives but leaves individual companies to assess risks and identify the best defences for them was favoured over prescriptive regulation that cannot keep up with changing threats.
Just as Mr Evans highlighted the need for close co-operation between multiple agencies and businesses to defend against attacks, the need for co-operation and integrating cyber defences throughout the supply chain was discussed at the conference. This goes from ensuring suppliers deliver secure software (and are willing to open their code to scrutiny), to sharing information between you and your suppliers and customers, sometimes even IT operational data so that patterns and trends can be identified which might reveal a security breach. This is a new approach and just as attackers share information, those defending themselves will almost certainly have find mechanisms to do that too. One initiative that could help in this area is the establishment of the ICS-ISAC and to which Amor is contributing. It’s not yet up and running so look out for more information on this in the coming months.
We had an interesting debate about risk analysis at the conference and its impact on security strategies adopted by companies. What became clear is there are very different approaches being taken to identify and assess risks and that regulation and standards need to allow a risk based approach to deciding what actions are required. One size does not fit all. In the eyes of Mr Evans “The Boards of all companies should consider the vulnerability of their own company to these risks as part of their normal corporate governance”, yet we at Amor do not see this happening routinely.
Overall, the topics covered in the conference reminded us of something that is easy to forget – security needs to cover people, processes and technology. And people are, and will be even more in the future, your weakest link as security technology improves and automation of processes advances. It’s much more difficult to change human nature to make people more secure.
Last word to Mr Evans: “What is at stake is...the safety and security of our infrastructure.”