See more - Cyber Security Executive Insights

Cyber
Intelligence
The Deloitte Symantec
Executive Dining Club
A balancing act in security
The Deloitte Symantec Executive
Dining Club brings together the
leading users and thinkers in Cyber
Security at private dining events where
participants can speak openly and
in-depth about their Cyber challenges
and the latest ways to address them.
The latest event took place in Autumn
2014 in Central London.
Facilitated by Paul Maher MBA
Justin Buhler
The Tasting Menu
Antony Price
1. Poor board-level appreciation
of the scale of Cyber Threat
relate to its operations. Given the move
There is still a mismatch between the
blind faith in Information Security as ‘the
investment required upfront and the
last line of defence’, the consensus was
increased Cyber Risks organisations
Threat Intelligence services are ideal to
face - until there is a public breach. This
outsource to large specialist firms, who
turns out to be a ‘blessing in disguise’ as
have more resources to monitor them.
Deloitte
Symantec
Tom Horne
Ocado
Vince Pillay
Domestic & General
Alan Hamilton
to detection and remediation, rather than
it frees up spending to realistic levels.
Royal London
There is also a lack of acceptance that all,
Kevin Tongs
not just some, hacks need to be reported
Kier Group
publicly and quickly. This was described
as ‘Management by media story’.
“As soon as you
use Gmail you
3. The evolving role of IT Security
The traditional role of IT Security around
installing Anti Virus patches and resetting
passwords is redundant. With a
reputation of bringing bad news and
2. Complexity is driving the need
to outsource
preventing the business from producing
There was feeling that users expect too
roles which refer to data. As one diner
much of internal IT teams. Most remain
commented ‘It’s about distancing
blissfully unaware of the consequences
yourself from the IT department’. The key
of sharing data using inappropriate
is to make security controls as ‘invisible’
cloud-based storage and security
as possible. In fact, rather like the threats
services. A suggestion was to insource
organisations face, security pros need to
everything first, then outsource once
be dynamic - another reason to distance
the organisation has gained a full
oneself from the traditional perception of
understanding of the issues as they
IT.
results, IT Security is being replaced by
have ceded
control. Then
your employees
The discussion was framed around four open questions which provided
the spur for conversation.
•
need to
as IDC, is continuing to grow at rates in excess of 40% year-on-year, do boards
manage their
“
recognise this in their expectations about the IS organisation’s ability to defend
own lives.
against Cyber-attacks?
•
•
Alliances Marketing
Manager, Symantec
0203 637 0644
Are there examples of where the organisation is getting more complex and yet the
required security is not increasing at the same rate?
Contact
Sarah Jarvis
With the phenomenon of data growth which, according to industry experts such
Which areas of the Information Security Portfolio do you believe need to be kept
in-house, and thus you should be experts in, and which don’t?
•
Do you believe the skills market is keeping pace with Cyber Security Requirements?
Sarah_javis@symantec.com
Page 2
“ If a supplier
The Main Course
insists on
showing us
plans on their
‘Dodgy Share’
service, I
have to take
a risk-based
approach to
“
how much I
want to see it.
Statistics from IDC show data is growing in excess of 40%
year-on-year. Do boards recognise this in their expectations about the
IS organisation’s ability to defend against Cyber-attacks?
“We have 2,500 people and need 20
lawyers to cope with all the issues which
arise from data, which seems disproportionate. But this is a big issue. We have
14 million customers worldwide and 18
million customer records on our systems.
Access comes from everywhere; internally, externally and from partners. With
our need to comply with ISAE 3000 and
our move to Smart Sourcing this issue is
likely to get worse.”
“Boards may not appreciate the growth
in scope of attacks. We worked with a
shipping company which was moving
nuclear components and naturally got
hacked by a foreign power. That focused
minds.”
“ IT works
“Until recently, we had lots of little
to help the
business.
fiefdoms, which presented challenges.
Now we’ve embraced centralisation of
support functions (e.g. HR, Finance,
Procurement, etc), which makes data
growth and data sharing more
transparent. We are moving away from
the traditional perimeter security
approach to a casino model of security,
with lots more measures taken
simultaneously.”
“Most large UK banks regularly lose
millions to fraud. They have enough
resources to deal with that. Compared
to them we are still amateurs, yet we
produce a million alerts a day and so
we need to take a much more targeted
approach. As soon as you are hacked,
you have to report it. Not many boards
understand this.”
Are there examples of where the organisation is getting more complex
and yet the required security is not increasing at the same rate?
Everyone
comes to work
and assumes
their world
is inside
the office.
Users want
everything but
they don’t want
“
to take the
“A lot of the time, non-IT people do not
realise what they are doing is creating
data with corporate value. However,
when someone is asked to pay to have
the level of resilience they demand, their
perceived need for an IT service can
drop down their ranking of importance.
They will say ‘If it costs £25,000 to protect it, I will not bother.”
“In a non-regulated industry, users
naturally worry less about data being
responsibility.
Page 3
lost. As a security specialist, it is about
distancing yourself from the IT
department. So I report to the Chief
Architect who reports to the Chief
Operating Officer.”
“Our organisations are becoming more
and more porous and the reality is that
hackers are opportunists, specialised in
finding the cracks. There are a lot of
hidden costs for each control we need to
put in to allow printing and posting.”
“ The largest
Which areas of the Information Security Portfolio, do you
believe need to be kept in-house and thus you should be
experts in, and which don’t?
part of my
business is
shareholder
management.
If you can’t put
it in business
terms, it
will not fly. I
make a point
of being the
Information
Security
NOT the IT
“
Officer
security and then outsource once it is
fully understood. Where once the ideal
split between in-house and external IT
security expertise was once 80/20 now it
has reached 20/80 and is ‘M&M’ like i.e.
hard on the outside, soft on the inside.”
“We believe most organisations, who
do not ‘do IT for a living’ should go to
the Cloud. The first thing I do when I
hear about new vulnerability issues
like Shellshock or Poodle is to consult
the Symantec advisors. As a principle,
I would insource everything to do with
Do you believe the skills market is keeping pace with Cyber
Security Requirements?
“They used to say IT Security was
educate your users, use decent Antivirus, harden and patch when needed.
Nowadays Information Security is facing
more and more complex challenges,
but you have to make your security as
invisible as possible to the end users. [IT
Execs] today need to be dynamic because
often the business is shifting all around
you.”
Want to know more?
If you are a senior technology professional interested
in participating in future events, please contact Sarah
Jarvis at Symantec:
sarah_jarvis@symantec.com
“ There are a
lot of services
needed out
there which are
not yet being
provided by
“
suppliers.
Page 4