In this article ITC’s Malcolm Taylor, a former intelligence officer with the British Government, considers the question new clients most often ask, “how should we start our journey towards being more cyber secure?”
At ITC we believe it’s all a question of maturity. Where are you now and where do you want to get to – what is the right level of maturity for your particular organisation?
Age, we are told, doesn’t matter; it is but a number. Maturity, on the other hand, is somewhat different. Maturity is the thing we admire in age, even if one doesn’t always follow the other – some are wise beyond their years, while others will never get there. We admire those who make the right decisions, at the right time and for the right reasons. We admire those with the ability to stand back, to take in their surroundings and make calm assessments even under pressure. And we admire those who can confidently deal with problems, even when they don’t have all – or often any – of the answers.
The threat to businesses large and small from those we loosely identify as cyber attackers is well known, well documented, and yet poorly understood. It is presented as something that should be taken seriously and all too often as something of which we should be terrified. At the same time it is seen as something mystifying, complex and, to all but a few, impenetrable. In cyber space, no one can hear you scream.
The alarming nature of the threat – we should be under no illusion that there is a threat – and the way it is portrayed should not and must not prevent us from taking action. Inaction is no excuse, as the executives of many household names have discovered to their dismay. Yet, those very factors combine to make inaction more likely and, in our experience, only too common. This isn’t always the fault of the victims or those likely to become them; in fact, it may in part be the fault of those who, too enthusiastically, seek to help.
A further factor likely to encourage inaction is cost. Defending your company can appear to require an almost limitless budget. Technology, tools, whole new ways of working and arrays of expensive people, all combine to raise costs. Stories of companies and organisations that have invested heavily and yet still been attacked are also common. These only go towards increasing the sense of helplessness and hopelessness.
But it doesn’t have to be this way. It is possible to make the life of the attacker more difficult, to invest reasonably and wisely, and to sleep more soundly as a result. But the question we as a company are asked most often is, where do I start? As a plea for help that is refreshing. As a sign of where we have got to, perhaps less so. It is, we believe, a straightforward question of maturity; the maturity of your company to defend itself and the maturity of your approach from this point forward. That understanding defines investment decisions, lays out those things which need to be addressed immediately and those which can wait. Often it identifies things you are doing which you can safely stop and in doing so save money, and it shapes a strategic approach for the future.
Cyber security has no panacea. It is, rather, a journey from where we are now, which is to say young and sometimes foolish, to a place of more wisdom and more maturity.
The core of our first engagements with clients in the Advisory Team at ITC is conducting maturity assessments. The journey towards better security is one of risk management, and all effective risk management begins with an understanding of the as-is. Understand, assess, address and begin again. Successful companies are good at risk management – financial, political, physical and legal. Cyber security is another risk that must be factored in, and, as with other risks, expert advice may be needed in order to efficiently manage it. Companies in the mid-tier of our economy – which is to say, most companies – employ, on average, fewer than three people with responsibility for their cyber security. These roles are often combined; with that of IT manager, or general security manager, or sometimes both. That looks like a criticism and a plea for more internal roles. It isn’t that. It’s a reflection of the economic reality and the scarcity of skills, and it is also a reflection of the fact that making IT work is very different from making IT secure. That conflation is common, and mistaken.
A good maturity assessment – a Cyber Security Review – should be based on a broad understanding and examination of the company. That includes at the least its technology, its leadership and governance, its physical security and its people. It should be calibrated to the maturity of the organisation being reviewed too. Take as an example the penetration test. Although our most common initial engagement with clients is a Cyber Security Review, the most common initial service we are asked for is a penetration test – because executives think they know what that is, that they understand it, and that it will per se help them become more secure. We work hard to discourage such requests; a penetration test can be incredibly useful, but only if the company is mature enough in its existing levels of security. Otherwise, it is very likely to be a poor use of funds, providing only a false sense of security. Commonly requested they may be, but, in our view, penetration tests are not a sensible place to start.
It’s essential to obtain a clear roadmap to improved security rather than just a set of obvious criticisms.
The output of the Cyber Security Review is crucial, of course – otherwise it is merely more cost. The reporting should be clear, comprehensible to those making decisions (as well as those doing any work it recommends) and structured in such a way as to enable the journey to begin. The reporting must also consider the breadth of the company – with plans and strategy for improvement in all of the areas identified above. It should be designed, in other words, to build maturity and to build on increasing maturity. Penetration tests suffice again to explain; a good Review should show when in the developing maturity of a company such a test would be helpful and wise, both in terms of security and investment. Doing a single pen test is not the same as having a regular, scheduled and necessary programme of testing when the time is right.
So, maturity. It defines where you are now and shapes where you want to get to. It enables risk management. It allows for cost-effective and wise investment. It provides insight, advice and reassurance. It is the starting point to action, and it is the end point too. For those wondering how to start becoming a harder company to attack, you can do no better than to learn where you are right now by gaining an understanding of your current level of maturity.