I, like many other Cyber Security Professionals have worked at multiples of cross-sector companies, within both vertical and horizontal market sectors – from Oil & Gas and Utilities to Banking, from Insurance to Credit Reference Agencies, and from Local Authorities to Central Government, which includes both the House of Commons and House of Lords. Thus, I feel I have a multilayer appreciative holistic view of the overall delivery of Cyber Security Solutions, and the said operatives who delever the prospect of robust logical protection – which over time has demonstrated that the levels of skill I have observed have ranged from the accomplished, to downright lacklustre of any sense or modicum as to what real Cyber Security represents.
Discoveries and findings are too many to document, but to cover some notables, such as the Scottish Bank Director of IT Security who stated that ‘they did not intend to follow the PCI-DSS route as they did not agree with it!’, or the Credit Reference Agency who did not report the loss of Third Party unencrypted banking records because there was no proof they had been subject to compromise! Not to mention the Utilities Company who lowered the Security Testing level against Smart Meters to ensure they would pass the security assessment. And last, but by no means least, the Big Name Outsourcing Agency whose Digital Investigations and Forensic Team are classified as Accomplished Amateurs who fumble their way through investigative materials with, what seemed to be a complete lack of Investigative Processes, never mind an appreciation of what the rules were around dealing with criminal cases involving peadophillia – and not to mention the Head of Security locating UK Government Sensitive Services within Hostile Environments which were outside the mandated hosting protocol (a National Security Exposure)! With such a Micro view of what may be, a Macro issue, maybe it makes it easier to understand just how so many big-name companies have been compromised, lost data, and have fallen to criminals notwithstanding they are spending huge amounts of cash on Digital/Cyber Security.
As the last Chair of the DTI ISO/IEC 17799 (ISO/IEC 27001) Steering Committee, I am, and have always been supportive of Stadards which drive Governance and Compliance. However, when I see the opinion that to enable GRC (Governance Risk and Compliance) Frameworks are seen to be the silver bullet to accommodate all the security requirments, then I start to get depressed. Of course, you may not agree, but in my opinion, and based on what I have observed first hand, such Governance and Compliance implementations are very much complementary to underpin the pragmatic level of security, and do not in any sense lead the charge – in fact, there have been occasions which I have encountered where the tick-in-the-box to satisfy the ISO Audit has provided the death-blow for a security breach down the digital river.
The bottom line is, in this age of Cyber Insecurity in which the clear majority own an Individual of Corporate Digital Footprint, we must apply more rigour to those who we employ to serve up and support our corporate security profile – and to satisfy the expecations of the great unwashed public who look to the industry to ensure their personal assets of which we may be custodians are fully protected and of course notified when things do not go to plan.
Certifications are another instrument that may be used to prove, or disprove their skill set of the individual, but does as CISSP Bootcamp mean that the holder of the Certification really understands the depth and underpin of the high-level questions – or do they simply place the tick in the right box after being soaked in the seeing the correct answer? And does the profile of the Certified CISO make sense, or could it be the result of inter-personal collusion of falsified profiles and refences (Trust me, I know at least two individuals who fall into this criterion who have fooled the likes of some big-name companies, to take up high profile roles (but not for long)).
Yes, we are at a juncture at which we must evolve a Cyber Security Professional who can do more that just knock-out a Security Policy, or tick-a-box to prove compliance. We need an industry which can supply operatives who possess the Darker Skill Sets, and who can think as the attacker. We need professionals who can dig into the depth of exploitation of an isolated molecule of Intelligence, and then to extrapolate it out to meaning and thoughtful intelligence which may be leveraged to protect the organisation in real-time.
Granted, many will not agree with my opinion as outlined above – but on the other hand, there are many who do appreciate the approach of Disruptive Thinking which challenges the accepted norm in what would seem to be a landscape of failures – I guess that is why after 30 years I still get invited to speak at some important events, to the likes of the military and other such established. organisations.
Remember two facts, as I always say, ‘Imagination is the only limitation’ and ‘Fear of the new, is acceptance of the past’.