One of the big themes at The Digital Transformation Expo (DTX) at the Excel centre in London was cybersecurity, and how to carry out the best defence against it. There were a lot of talks about threat intelligence, and what new trends and attack patterns to look out for.
With constantly moving threat landscapes, companies urgently need to adapt a threat profile, and have a reactive plan with methods ready if a threat appears. And they need to know what data is of interest to those who want to steal it.
Have a back-up strategy
“Think why you as a company could get targeted. It starts with an analysis where you tackle potential risks. And have a back-up strategy,” said Sean Busby, Head of Offensive Security Operations, Founder and Leader of the Red Team at the UK Ministry of Justice. “The first thing to think about is how the threat presents itself.”
And Bharat Mistry, Technical Director at Trend Micro, advised: “Make sure that your security strategy matches the business” .
Making a threat profile is work that takes years, and it needs to be organic where ‘no size fits all’. “Cybersecurity is changing all the time. You need flexibility,” said Annette Sercombe, Chief Information Security Officer at the UK Met Office.
Understand consequences
Steve Kinghan, head of cyber operations at Hiscox Insurance, emphasised the seriousness of understanding how the company infrastructure looks to potential attackers.
It’s also important to have a realistic understanding of the consequences and what the company could lose in an event, and what it would cost to prevent that. Guy Golan, CEO of Performance, highlighted the gravity of getting your data knowledge right.
“If we don’t know what we are protecting, we are dead in the water,” Gareth Neal, Founder, Parker Neal, added.
Many speakers and leaders referred to the Uber incident in which 57 million users were exposed.
Getting the board onboard
But how do you get a complex topic like cyber security on a board’s agenda? All the speakers were united on the solution – keeping the language simple to make technology understandable.
“You need to talk in their language,” added David McKenzie, Cyber Security Operations Director at National Grid. Everyone agreed that “if you understand, then you will get involved”.
But it’s also important not to be scared of the topic. “Don’t sell fear, sell clarity,” said Gareth Neal.
Crisis training important
Busby and Kinghan both stressed the importance of crisis training and incident response in crisis management, pointing out the difference between simply clicking through and gaining deep understanding.”
All the speakers were agreed on the importance of having the right people in the room, and of following the preset protocol. “If it’s not in print, it goes out the window” said McKenzie. “Cyber doesn’t exist. Cyber is just an operational risk. Practice, prep, and make sure that the incident manager is in control.”
“Resilience is the key. Start teaching the staff and the board.”
Quentyn Taylor, Senior Director, Canon
“Preparation is beyond cyber. Chaos will be, it’s just about how big it is and how you handle it”, said Guy Golan.
“Resilience is the key. Start teaching the staff and the board”, said Quentyn Taylor, Senior Director, Information Security & Global Response at Canon.
This is not a complete reproduction of what was said at this conference – it is an edited version based on the reporter’s understanding of what was relayed. This content has not been approved/endorsed by the speakers.
