Ian Murphy: In this podcast, Garry Sidaway, Senior Vice President, Security Strategy at NTT Security, and Richard Thurston, Market Insights Manager at NTT Security talk to Ian Murphy at Enterprise Times, about the Risk:Value Report.
Garry Sidaway: Garry Sidaway, SVP of Security Strategy for NTT Security. I have very different hats with NTT Security, but mainly looking at the market challenges for our business and where we can actually support them from a broader cybersecurity perspective.
Richard Thurston: I'm Richard Thurston, and I'm Market Insights Manager for NTT Security. I've been managing the Risk:Value research which we'll talk about today, and I'm more generally responsible for understanding the security market and what really matters to our customers.
Garry Sidaway: I just want to give you a bit of background on the report itself and where we started from. It's actually the fifth year we've been running this report, looking at decision makers within strategic businesses across multiple regions, and looking really outside of IT and security-focused executives, so really understanding what their understanding of the cyber risks are within business.
Ian Murphy: One of the challenges we have when we do these reports is that often we talk to people who are “in the know”. People who know what we're looking for, people who deal with this, day in, day out. You decided that wasn't appropriate for this report?
Garry Sidaway: That's correct, Ian. We wanted really to understand the broader aspects of decision makers within business, who aren't necessarily focused on IT or cybersecurity and that's really why we wanted to broaden out our questionnaire. We focused on seventeen areas that we've identified over the past reports, to really focus on good security practice, but outside of that core skill set.
Ian Murphy: Richard, you pulled a lot of this together. It was a massive amount of data.
Richard Thurston: Yes, it's been really interesting to look at what business decision makers are thinking about cybersecurity. To build on Garry's point, it's really interesting how cybersecurity really impacts on people across the business, from facilities to HR, given all the people issues involved with cybersecurity and through to operations. It's been really interesting to get that insight and to understand what they're thinking, and we see quite a lot of difference between what HR people are thinking to what operations people are thinking and there is, in some ways, a disconnect with what IT people are thinking. We drill into some of those things in the report.
Garry Sidaway: We've also seen... I think this is again quite interesting, there's a great awareness there. So, across the business, there's a great awareness of cybersecurity risks. Three out of the top five business risks involved cybersecurity at some level and that was either cybersecurity threats, data privacy, or even critical national infrastructure.
Ian Murphy: Given that IT tells us that they're on top of cybersecurity and they know the threat, given the businesses have told you their understanding of this and they realize how important it is, why did we end up with a disconnect?
Garry Sidaway: That's a very, very interesting point, and I think this goes back to either engagement with senior management and not really emphasizing that. So, there's a great level of awareness, but actually, the implementation and the ownership within a business is seen as an IT problem, but not seen as everybody's problem. And I think that is where some of that disconnect comes in is, they see it as somebody else's problem to deal with and particularly that lays with the IT department and not the individual and not the board management.
Richard Thurston: What's quite interesting, Ian, is that we see that in many businesses, the security department isn't always responsible for security in all businesses we spoke to. So, we find that the Chief Information Security Officer is only the person responsible in a certain amount of businesses, but quite often, the Chief Executive Officer has responsibility on a day-to-day basis for cybersecurity and there's not always a security team there to back them up. That can be quite concerning.
Ian Murphy: But without laboring the disconnect, we've talked for a long time about why security is everybody's problem. This isn't just something we can solve with technology and that, perhaps, was part of our problem early on. We all thought there was a technological solution to this and that we didn't need to deal with the people problem. We haven't, as an industry, really solved the education problem. So, how do we now make this everybody's problem in such a way that people are invested in it, rather than what seems to be the common approach of, “it's everybody's problem but if you get it wrong, you're getting fired.”
Garry Sidaway: Yeah, I think it does come back to what we do from the grassroots perspective. So, we've engaged with the universities but I think there’s more practical, initiatives that we can take as an industry and - certainly as NTT Security - is bringing people into this and showing them that it is a core skill for everybody. But that internship in actually getting that practical experience, and working through... when I was a lad, working through the mill, going through each one of those stages. So, working in a SOC infrastructure, looking at answering the phone, which is a great grounding for people in how you express and understand information, and share information. All of those things, I think we should really start to focus on, and actually build that more into our educational system. So, all education nowadays, they've all got iPads, they're all aware of technology, but you've also got to relate that to the risks that they face.
Ian Murphy: But is it fair to say it's people coming into the business that are the problem, as opposed to people that have been there for a long time and aren't necessarily as technically savvy as the new generations arriving?
Garry Sidaway: I think that's where technology can help, so you can take some of those risks away with technology, but we're finding a lot of businesses are sort of caught in the headlights of that, so they're not quite sure which way to turn. There's focus with a wealth of technology and point solutions, but they don't an overarching security architecture, or a real appreciation of where their real risk is. Is it in a technology area? Is it in their data center area? Is it in their mobile workforce? Understanding where their real risks are and then focusing on that from an architectural perspective I think is very important.
Ian Murphy: But that opens up a whole bunch of challenges for organizations. Let's take skills shortage as a first one. Everybody knows we've got a shortage of people. We can't magically make them appear overnight, but we've got to do something. How much can organizations rely on being able to attempt to offload their security problem to vendors like yourself and how much do we need to do a better job of bringing new people in, and I don't just mean degree students?
Richard Thurston: Well, it's really interesting, Ian, that over 40% of companies are saying that they don't have the skills or resources in house to manage the number of cybersecurity threats they face. And that's quite shocking that so many businesses are struggling and this figure is only going to grow as the threat landscape worsens. First of all, there is a lot of acknowledgement out there that businesses don't have the skills in-house and they are struggling somewhat, and they are showing this level of concern. Garry, you've got lots of thoughts on recruitment of people into this industry.
Garry Sidaway: Yeah, I think it is incumbent on businesses also to identify what resources they do have and I think there are good resources in organizations and it's then how you augment that with managed security service providers or a strategic consultant. But you've got to identify those resources in-house first. That's a good place to start and use those within the business as well to educate and broaden out that skillset. Then, focus on what's the really important things for those individuals, rather than, saying, well everything's a problem and everything's your security problem and you need to be responsible for it. So, I'm working from home. What are the key things I need to do to secure my environment when I'm working at home? If I'm coming into the office, then what do I do from that perspective? Do I wear a badge or do I have some smart system? All of those things. Just focus on the key points and getting the basics right is a good start.
Ian Murphy: If I go back 25 or 30 years ago, when I was doing technical support, when we were trying to get new systems into sales teams, we would pick on the senior sales secretary. Why? Because that was the person who understood what was going on in that department. Everybody went to her with their problems. She was probably the most technically aware in most cases. Educating her helped to educate the rest of that team. Do you see companies, from a security perspective, making a concerted effort to identify those people in teams who've got some security awareness and using them almost as a localized center of knowledge for that business team?
Garry Sidaway: I think that's a great point, actually. We spend a lot of time talking about security policies and we do awareness training, but it's that relationship to their work environment that makes that different so it makes that connection. Generally, you're looking at it from a broader spectrum rather than actually, yes, I'm sitting in an office and these things apply to me because I know the guy sitting next to me has been through this and has identified it. That human connection is very important when you're looking at cybersecurity. We tend to lose track of that when we're writing security policies, for example. You've got to make them practical. You've got to relate them to a story that people understand, because it then becomes something that they can connect to, rather than a static document that says, okay, you need to do these things. You need to make it connected and that again, will reinforce the security practice through the management structure as well. You need that discipline.
Ian Murphy: When we think about policies, cybersecurity is not a simple thing to solve. It would be nice if we could go to the shop and buy two boxes of cybersecurity policy, drop them into the office and say, 'Here you are everybody. Done. Read it. Use it.' It's a living thing. It changes every minute of the day. It changes by the attack. It changes by the size of the company. It changes by our circumstances as a company. Where are we with companies actually having valid cybersecurity policies, rather than a tick box in the compliance form?
Garry Sidaway: From our report and the index, nearly half don't actually have a security policy in the first place. Somewhere to start is resolving that problem. It's identifying the real risk to that business and writing policies for that, rather than going and getting your two boxes from the shop. You've got to make it relevant to that business, and you've got to make it active within that business as well. Those are two things that we've certainly seen in the report that says it shouldn't be static. You've got to review these because the threat landscape is constantly changing. You've got to make sure that policy is up-to-date and carrying on but you've also got to test it. That's the other area, that we've seen in the statistics again. That, whilst policies might be in place, they're not active, they're not alive, they're not tested and that certainly is something a third party can make sure that they're actually doing. The third-party view of that policy is a validation of where it is.
Richard Thurston: That's really interesting. So, 58% of organizations, according to the Risk:Value research have a formal cybersecurity policy, so that’s less than three in five. This is really concerning and it's only increased by one percentage point in a year. A lot of businesses aren't making progress with developing these cybersecurity policies.
Garry Sidaway: I think the counter point to that, though, is that they all accept that good cybersecurity benefits the business and also, they relate it to benefitting society. 90% said actually, it's a benefit to society to be secure, but we're not seeing that connection.
Ian Murphy: But if compliance is as important as companies claim it is - and here we are, one year on from GDPR where you'd think that cybersecurity would've moved up that food chain to have a formal policy - 58% sounds atrocious.
Richard Thurston: Yes, and on the compliance side of things, there's a number of really interesting things that we've found. Only three in ten companies think that GDPR applies to them, despite the fact it applies to every company that does business in any member state of the European Union. So, that's really, really concerning. So they do think compliance is important but the awareness of what matters to them is really low and we see that 36% of organizations would actually pay a ransom just to try and avoid their compliance obligations. This is really shocking.
Garry Sidaway: Yeah, we've seen some really worrying headlines against that as well and generally our advice across the board is not to pay ransoms. Businesses are in a tricky situation when you actually look at that, but you're fueling the attack vectors. But it's very difficult when you put a business in that situation of what are they likely to do? That brings you back into, okay, what should they be doing? How are they looking at backup infrastructures? How are they looking at incident response and looking at those types of things as well when they come to a ransomware perspective.
Ian Murphy: Kind of brings you back to where I started on the question, which was the complexity of a cybersecurity policy. If we think of a backup policy, or we think of a disaster recovery policy, we think of an employment policy, these things are fairly cut-and-dried. The problem with cybersecurity is it cuts across the whole of the business, both horizontally and vertically. Every role is affected by it. Everything we do is affected by it. Should we therefore be looking at cybersecurity policies as, how does our business function and how does our business continue to function, rather than just talking about cybersecurity?
Garry Sidaway: And that is really interesting, Ian. We've got sucked into this, as an organization and as a business and industry to say, 'Well, your starting point is always going to be your security policy. You've got to relate that to your compliance initiatives.' To Richard's point, sometimes they understand what those are, sometimes, they don't. It's that connection with actually what their real risks are and understanding that, putting an architecture around it that actually is appropriate. That's the other area that a lot of businesses don't understand. What is my appropriate risk posture, how do I manage that effectively, and where are my real risks?
My favorite one always is British Airways. Spent a huge amount of time focusing on engines and flights and their planes and actually couldn't fly because they couldn't put a sandwich on the plane. So, your real risks come from different areas. A bit of an extreme example, but as an organization, you always need that outside view. Because when you're in that business, you think, 'Okay, this is important to me because this is my business and how I run it.' But that external view gives you that different perspective. How you partner with a broader spectrum is for me important.
Ian Murphy: But how much of this is also partly stale thinking? If we go back twenty years, the idea of home workers was a rarity. It might be an occasional director at home. If we think about today, people want homeworking as a right. They want the ability to work from home, but in terms of protecting company data and systems, that creates a vastly complex set of problems. You don't know who else is in the environment. You don't know what equipment they're using. Is it their own? Is it up-to-date? Have they managed the endpoint protection on it? How do we reset our expectation from: ‘we'll build a process based on us owning this building, four walls and being able to build a fortress,’ to: ‘we're really trying to protect a shifting sand dune?’
Garry Sidaway: This is certainly where from a global NTT perspective, we're looking at those smart initiatives. You're looking at that smart society and that smart-connectivity piece and then how you layer over technology, how you layer over an infrastructure, that allows you to be dynamic in how you secure that. That will be a really interesting development as we move that forward. As NTT, we've seen some of those initiatives come through.
So, in terms of the work that we do with the mobile industry, the work that we're actually doing with large city infrastructures is trying to look at what you can do, to move those dynamics on, and to your mobile and homeworking perspective, how do we put an infrastructure in that is secure by design out of that perspective. How you develop applications, how you deliver those applications, how the user authenticates into those applications, then become part of that smart infrastructure that you can rely on. You're removing the moving part of the human element in that to say, 'Well, actually, everything we deliver to you is secured but what you need to do is these things to make sure that you're in that environment in a secure way.'
Ian Murphy: And that brings us back to the earlier point, that cybersecurity is everybody's problem, not just IT's. But it also takes us off into one of the other results you have in the report. The worry about critical national infrastructure. When we look around today, we see strikes, particularly in the United Kingdom, where railways suddenly come to a grinding halt. We see major road incidents where you sit in traffic for five, six, seven hours, and go nowhere. That's helping to drive the idea of people working from home, but at the same time, we're seeing headline after headline of attacks by Russian hackers or Chinese hackers, or some other state-sponsored hacker, looking to take down electricity, take down communications, take down other things. It drives us closer to that idea of people working from home, because it overcomes reliance on one of those things. What were the key elements that people were really worried about?
Richard Thurston: That's really interesting you talk about critical national infrastructure, Ian. What really surprised me actually from this research is there's a lot of recognition of threats to critical national infrastructure, be that telecoms networks, medical facilities, food networks, power networks or water networks. There was actually a surprisingly large amount of recognition of the fact, there is actually a threat here. There is a recognition that that threat could impact the way you do business. 35% of businesses are saying that a cyber attack on critical national infrastructure could actually affect their organization in the next twelve months. That's really shocking because for a long time, people didn't really consider threats to CNI to be an issue. All of a sudden, the attacks you see on smart cities, or the attacks you see on financial systems, that are being reported by mainstream media, are really making people realize, there is an issue here that could impact them.
Garry Sidaway: As a business though, what do they do about it?
Richard Thurston: Well, it's really important as a business to ensure that your architecture is resilient. So, you'll have a connection to the Internet but if that goes down, then what do you do? You should be looking at developing a resilient network architecture and SDN can help you with that (software defined networking). It's about looking at your response to an incident and can you recover if something happens? Don't assume, 'It won't happen to me.' Whatever business you're in - whether it's high profile or low profile to cyber criminals - your business could be impacted by downtime, so what do you do if something goes down?
Garry Sidaway: To Ian's point, you're stuck on a train. I used to get to an office, now I'm stuck on a train that's been crippled by whatever. What do I do? How do I connect into that network? Do I have a process that says, okay, now I'm not in my office, what is my security profile against that? And I think that's a key problem.
Richard Thurston: Well, the old problems still exist. We can still be hit by travel problems and that's all part of a good business continuity plan.
Ian Murphy: I remember when we had business continuity plans and we said, 'Well, what if people can't get in by train? What if we have an electricity problem and we can't use our electronic keys to get into the building and we've got to find somebody with a physical key?' This was all things that we did, not just five years or ten years or fifteen, but we did it 20, 25, 30, 35. We've always had plans as to what to do if the business is hit by that. With cybersecurity, we seem to be forgetting that there are basics that we've always done to keep our business running and we've wrapped it up in, 'Oh my God, the bad guys have hit us,' and people seem to go into a blind panic. We've got to stop this, surely?
Garry Sidaway: There are a lot of headlines that drive this but there is that practical reality as well. We have come a significant way and I think we should never lose sight of that. Our environment is a lot more secure than it was. There’s clearly a changing threat landscape but I think we have come a long way in terms of security education. Again, from the report, there's a lot of security awareness and it's actually now connecting that to the more practical things that we can do from an individual perspective and making sure that all of that comes through. We've just moved our headquarters. We've moved into a beautiful office in Theale and, we implemented our work-at-home plan. It was already there, everybody knew it. We didn't have any disruption. We went through and it followed through very nicely. We didn't have to rewrite it. Everybody knew it was there and it was implemented.
Ian Murphy: But is that not the key phrase: 'Everybody knew it was there.' When I spoke to Kai Grunwitz, a couple of weeks ago, one of the points he made was that when we think about dealing with incidents, most people don't know what their responsibility is. A lot don't even know they're supposed to be involved. It's a communication breakdown inside a business, surely?
Garry Sidaway: I would certainly agree with the level of communication that's required. That level of how you respond to an incident, that testing of that plan is equally important to those static things that we write and never go back to look at, that certainly has to be changed within a business. It’s actually what do we do in a disaster, and it's not necessarily a cybersecurity disaster, it's what, and who is then responsible. And to your point, again, how we communicate. There's a lot of emphasis within businesses to communicate externally. This is what we're doing. This is how we've handled it, but it affects everybody internally as well and sometimes that's lost in, that situation where you're in blind panic and say, 'Well actually, I don't know what to do.' You do, if you go back to that basics, and it's getting that natural basic instinct to say, 'Ah yes, I know what to do in this situation and how to communicate that.'
Ian Murphy: Most of the time, we look at these reports and we look at the data and our analysis, in the microcosm of a business. The reality is, we're moving into a phase where we are becoming a smarter, connected society, where we are interdependent upon other people's electronics, upon other people's systems. Therefore, any outage, any issue becomes amplified. Were people worried about this when you did the report and if so, what sort of things have they particularly focused on?
Garry Sidaway: Clearly, from a broader NTT perspective, we're seeing a lot of smart initiatives and we're seeing a lot of that in terms of: how do we make our people movement more efficient? How do we identify certain critical areas of risk within a smart society? You can look at initiatives around using microphones, and privacy and compliance come into play, which is causing businesses and certainly some states in America some dilemma, around using facial recognition technology. As a society, we're always going to push up against those boundaries, to get to that next stage, and I think we're at that tipping point now, where we are more accepting of a little bit of invasion of privacy to make things better. I'm moving within a city and I know that I can go via this route because I've been alerted by my smart app that says 'actually, there's a bit of a problem in this area, so I would take this route'. It's very similar to what we do when we're driving our car: 'There's been an accident, you're still on the fastest route so carry on, or actually, there's a bit of a crowd disturbance here let's route you a different way. That comes in when you start to look at this and people then become more acceptable to it.
Compliance is a really interesting area at the moment because as a business, we're looking at data privacy. It's a very important issue but as a business, we also want to share information because it makes us more intelligent and more focused on the risks, and that dilemma is causing us real concerns. There's a lot of initiatives to keep data either in country or in region, which again is putting a lot of pressure on organizations such as ourselves. Well, how do we share data then? How do we make the most of this data when we're facing a global risk problem?
Richard Thurston: I thought that was really interesting, Garry. Smart society is such a different area to the classical telecoms’ universe. The old world of securing a network connection was far simpler. Now we're securing smart cities which are essentially a physical infrastructure and lots of sensors. That brings on whole new challenges and a lot of municipal organizations don't really understand intuitively how to secure those smart cities. I think there's a lot of new challenges there, that certainly we can help organizations and cities with. Just diving into the research asking organizations quite how important they thought cybersecurity was to society and a massive 88% came back and said we really need cybersecurity for next-generation society.
Garry Sidaway: It's how you connect to that smart world and going back to critical national infrastructure, the risk against that. As we make our cities smart, as we make our cars smart, as we make our society smart, all of those start to interplay. We know that's a honeypot to a lot of threats and a lot of risks. So, my smart city now becomes bottlenecked because all the traffic lights are turned off. We do need a different approach to that. How you segment that and how you look at those risks will be a different challenge as we move forward. It's not just a business challenge that we're broadening out into.
Richard Thurston: And beyond smart cities, we're looking at a lot of interesting areas, like smart sport, for example. NTT is an official technology partner of the Tour de France, the cycle race, and the Tour de France processes, as you may know, an enormous amount of data. Some of this is really personal to the cyclists, some of it is really personal to the organizations concerned, and it's actually really important to secure that data. If information on someone's medical conditions is obtained by a hacker, that's a serious issue for that cyclist. Smart societies encompassing so many of these areas around smart cities, like we were talking about, smart sports, and we get into agriculture. There are so many aspects of smart society that need to be secured.
Ian Murphy: But securing that isn't going to be easy. To take the numbers you gave us earlier, only 30% thought GDPR applied to them. If we're talking about a smart environment, that's 100% of everybody, all the time. If we're going to have people understand what they're doing here, people themselves have to take responsibility for what information they give away. As we've seen in Toronto, this is not just about surveillance cameras looking down at people, it's what information those cameras gather. It's how the AI systems and the other systems that are behind, take that data, use that data, more importantly, compare it with other types of data. How can we promise citizens privacy? If I want to give you services, tuned to you for exactly that moment you want them, I have to have incredibly intrusive, accurate and personal data. People don't want that, but they do want that service.
Garry Sidaway: Yes, and that's always been that challenge of how do you, as, as society moves and evolves, we want that personal experience. We want to be treated as that individual and have those services, but it then requires us to be open around some of our personal data, and I think we will become more acceptable to that. The challenge that raises is generally we use the same personal data. I buy flowers for my mother; I will use the same data as I use for applying for a mortgage. All of those things have to change and I think a smart society allows us to take a different approach. I know, now, because of my smartphone, I'm sitting in my London office. I know now, because I'm sitting next to Richard, that we're both in the London office, and I can use those data points to validate where I am, and that openness of individual pieces of data that can't be connected but you can connect them in a smart society, brings a next level of security. Risk avoidance becomes quite interesting when you start to look at how you connect all of these pieces of data that could potentially be associated with an individual, but you scatter them, you connect them through different ways, that brings a level of security into it.
Ian Murphy: We've seen this in the past. We've seen people talk about being able to hold data in isolation and very quickly, we've discovered that when you connect two or three pieces of those isolated bits of data, the rest of it becomes very obvious. If we can't maintain that data separation at a business level, if we can't maintain that security and privacy at a business level, how on earth do we scale that to a society level?
Garry Sidaway: Because the challenge is different. Where you look at a particular business, you know where that particular business infrastructure is, then you can profile that environment. As you move into this next world of a smart society and a smart-connected society, that becomes effectively a moving target. So, Richard's example around the Tour de France, that is constantly moving and it's a constantly changing environment that then becomes very difficult to profile and attack. That data is constantly on the move, and shifting between different infrastructures, and that becomes quite compelling when you look at it from a security perspective, because you don't quite know where to attack. What profile am I trying to pick up as I move through that? As we broaden out and become actually, probably more diverse in what we connect, it then becomes very difficult to actually get a consistent profile about an individual or about a business. That actually becomes quite an interesting area that, as a security industry, we should start to look at. I don't think we're there yet, but I think certainly, as we start building out a more connected society, you can actually then start to secure it better, because of that diversity.
Ian Murphy: So, does that mean all the work we're doing at the moment for cybersecurity policies for business, all the privacy work we're doing at the moment, that we're becoming obsessed by because we have to for compliance, all those regulations that we're trying to meet are really just one step to a whole new system where much of that will become redundant over time?
Garry Sidaway: I don't think it'll be redundant. They become the building blocks, and this is where you need to do those basics, but you need to connect that business into that broader perspective. That's where the challenge will come as we move into this connected world and connected society: how do you build on those pieces that actually lay the stronger foundation? It goes back to the earlier points we were making. As individuals, what are we aware of? Where are our risks coming from? How do we actually connect into that world? As an infrastructure provider and a business application provider, they've got to start thinking that way and that's certainly our future challenge, is how do we start thinking in that connected world and that connected society, to actually layer in security and layer in risk avoidance? And make it, we shouldn't be having this conversation because it's automatically secured, because we know it's been delivered in that way.
Ian Murphy: I think the promise of everything being automatically secured will make many of the respondents very happy.
Richard Thurston: And one final thing. There's a lot of really insightful things in the Risk:Value Report, so to download it, go to www.nttsecurity.com.
Garry Sidaway: There's some really practical advice in there as well, which we probably didn't touch on. Some practical advice for everybody, so some key things that we should also look out for.
Ian Murphy: Garry, Richard, thank you very much.
Garry Sidaway: Thank you Ian
Richard Thurston: Thank you.