Has the 'cyber security' phenomena caused confused thinking and an imbalance in modern corporate security governance? Are we indiscriminately throwing money at the cyber problem, looking for technical solutions to a 'technical' problem?
There is considerable evidence to suggest that not only is this true, but the ‘Cinderella’ disciplines of protective security, physical, and particularly personnel security have been left behind. Ironically, this approach has left us more exposed to cyber attack, especially as it is well evidenced that over 60% of cyber breaches involve insiders.
So is it time to rethink security governance and bring it under one unified umbrella? The UK Government, Barclays PLC and a number of highly respected security experts certainly seem to think so – believing that the next generation of threat, requires a blended response, encompassing a physical, psychological and digital understanding of security.
One only need consider the catastrophic events of 9/11 to recognise the impact of incoherent governance and lack of coordination. Of course, cyber security is not measured by lives lost (at least not yet), but rather by wrecked reputations and sacked CEO’s, loss of privacy, theft of data, intellectual property and money. Illicit cyber activity is even suspected of having undue influence on election results. Common sense dictates that a holistic joined-up response is required to meet this increasingly sophisticated and prolific threat. Why then is such a response so rare?
Protective security professionals have for decades cited the need for holistic security, covering all three disciplines of personnel, physical and cyber security. However, security governance has tended to grow organically with policy being written reactively and often in isolation, particularly in the new realm of cyber security. Management control has been siloed. Cyber security sits with the IT department, personnel security with HR, and physical security within infrastructure departments. Budgets have also varied considerably, with resource for personnel security falling way behind. A recent SANS Institute report found that a quarter of US businesses had no budget for insider threat protection.
Perhaps it is entirely logical that cyber security budgets are substantial, given it is a major headache for most organisations. Paradoxically cyber security is still not a top priority for Boards, with only 40% believing it to be an important issue. Despite this, cyber security budgets typically make up a whopping 10% of IT budgets. Quite simply the last two decades have witnessed a confused and incoherent response to this threat. Some organisations have ignored the risk and suffered the consequences of a serious breach, whilst others have spent millions on technical defenses, and suffered the same fate. So what is the answer?
Security is complex and difficult, and of course when you get it right nothing much happens – that is the point after all. However, there are some guiding principles, which apply equally to cyber as to other forms of security. There is considerable misunderstanding around cyber security, which some vendors exploit, pedaling complex and expensive technical solutions. Paul Martin, a highly distinguished and experienced security expert is a voice of reason – “cyber is a new way of doing old things…. the same fundamental [security] principles apply, including the preeminence of the human dimension”.
Cyber is a multi-faceted and asymmetric threat. In a world of increased foreign and economic hostility we face an amalgam of state actors, organised crime gangs, and terrorists, as well ‘hactivists’ and disillusioned geeks. Despite these diverse threat actors, it is a remarkable and overlooked fact that 60% of cyber breaches result from insider actions, both inadvertent and malicious.
Clearly the solution requires a sharper focus on the insider threat, and the discipline of personnel security. A behavioral and cultural shift is required, in tandem of course with technical solutions, policy and new governance arrangements. But the world of security governance and accountability is muddled.
Many organisations appoint a Chief Information Security Officer to their Board – a role that requires a nuanced combination of technical know-how, business acumen and management skills, however, their remit can often be unclear. For example most organisations also have a Chief Information Officer (CIO) and even a Chief Security Officer (CSO).
It is notable that in situations where the CISO reports to the CIO (a fairly common occurrence), a conflict of interest can easily arise, with ICT business delivery taking precedence over security needs. A recent two-year study found ‘the majority of lower-performing CISOs reported to the CIO, or a similar technical role, whereas the majority of high-performing CISOs reported to a role defined in terms of the wider business or risk’, typically the CEO or COO (Chief Operating Officer).
Additionally, it is very common for the HR Director to be responsible for personnel security. Yet, ultimately, it is the CEO who is expected to fall on their sword for cyber negligence; the most recent example being Equifax’s CEO, who ‘retired’ following a massive compromise of over 145 million personal records. This confusion at Board level can lead to duplication of effort and overlap of responsibilities, or more worryingly, it creates gaps in the security structure, thus increasing overall corporate vulnerability.
The UK government has recognised that security governance arrangements were inadequate to meet future cyber and digital strategies. They have created a unified Chief Security Officer post to lead across all disciplines of physical, personnel and cyber security providing a single point of accountability, responsibility and leadership for the necessary cultural change. In this way both the CISO and CSO roles (or government equivalents) have been superseded.
Similarly Barclays, the 300-year old banking group, spent two years transforming it’s security division in order to respond to future threats, “Rather than focusing on security silos such as ‘cyber,’ ‘physical,’ ‘investigations,’ ‘insider,’ or ‘resilience,’ we are focused on delivering ‘security’ as a whole”.
The issues outlined above are understandable, given the proliferation of the cyber threat. However, the structure and practises that emerged have been driven largely by crisis management. Clearly there is now a need for reflection within the sector, particularly in relation to the clarification of accountability at Board level, coupled with a renewed focus on physical and personnel security disciplines, all within the context of holistic cyber risk management.