Sometimes it feels like you’re on a hiding to nothing when you’re an information-security professional. You were hired to protect your business’s most critical digital assets – source code to proprietary software; confidential details of planned deals or mergers; customer billing information; and so on – and you’ve designed the system you feel is required. Yet not only is there now a block being put on the funds you need to build it, somewhere above you on the corporate ladder there’s resistance to your ideas about staff training and the need to explain why security is important to everyone in the enterprise. At this stage, just about the only things you can be certain of is that you’ve done the absolute best you can yet the security system you’ve designed still isn’t effective; and if hackers gain access to any of that vital data, you are damned sure that during the blame game that will follow, all fingers will be pointing in your direction.
It’s a problem that Peter Jopling has seen before, and – refreshingly – the 25-year veteran of the cyber-security business has a few ideas about how his fellow professionals can maybe start to help put it right. He’ll be offering a few thoughts on this during his presentation to this month’s RANT Forum in London, and will also be asking another pressing question: why, given the almost daily parade of multinational companies announcing damaging data-loss incidents, is this still a conversation we need to be having in 2014?
“My RANT is really about trying to understand the reasons businesses are struggling with security issues around how they’re managing their people, their data, and understanding what’s happening within their infrastructures,” Jopling, IBM’s Chief Technology Officer and Software Security Executive for the UK and Ireland, tells the Acumin Blog. “You go to any organisation and they’ve got lots of physical security, such as identity cards and restricted access. But actually, with regards to the actual data itself, many organisations are unsure about how they actually secure their infrastructures.”
Part of this will be down to the attitude of key staff, and another part may be more to do with misconceptions around data security. These, though, are more often issues to do with an individual’s perception; when it comes to institutional thinking, Jopling will argue that the misunderstandings are more fundamental.
“I’m going to talk about what some IBM research has found in terms of how big the problem is and what the types of attacks are – and then talk about why businesses struggle to address this issue around their users,” he says. “There can be a lack of understanding around user identity, and what those users are doing with the data, and how they are accessing it. Then I’ll discuss the difficulties around addressing anomaly and behavioural analysis, and the lack of forensic capability.”
The problem will be all too familiar to many regular RANT-ers. But surely, after all the recent high-profile hacks, this penny is starting to drop in the boardrooms of the continent’s biggest businesses?
“It is, but it’s a very, very slow change,” Jopling cautions. “We’re seeing a more positive stance, but even at senior level there can be a lack of understanding of what the issues are, how dynamic or invasive the attacks can be, and how readily available the technology is to carry them out. The issue can be not knowing where to start, and the problem seeming far too big to tackle. That’s an ostrich mentality.”
So, how can security professionals convince recalcitrant or poorly informed boardrooms to invest sufficient resources? Jopling believes that, while the security arguments may fall on uncomprehending ears, an argument based on the business case is more likely to succeed.
“It’s a different discussion these days,” he argues. “It’s not as much around, ‘We need some money to mitigate against a threat’; it’s actually, ‘If we put in a robust security policy we can actually take cost out of the business.’ If we have a security middleware layer that arbitrates between what the user’s trying to do and the data, we don’t need to reinvent the security wheel every time we build an application or service. So you can massively reduce cost, and increase your security in doing so.”
For more on how to get your board’s heads out of the sand, and of course the usual mix of banter, bonhomie and beer, come along to our tried-and-tested City of London location on Wednesday (June 25), and get ready to learn the art of corporate spin. Doors open at 5:30pm, with the presentation at around 6:30. Food and drink are free, but prior registration is a must. Please contact Donna Wreathall at Acumin on firstname.lastname@example.org or 0207-987-3838 to reserve your place; spaces are limited with demand running particularly high following the second RANT Conference, so do please get in touch as soon as possible.