Cyber security: 5 lessons for businesses from O2’s Blue Door Conference
At the Blue Door Conference 2019, delegates attended a deep-dive session on cyber security, drawing on the experiences of leaders on the front line of defence. Cyber security discussions can often descend into technical deliberations. Yet most of the audience were here to understand the tangible implications for business.
The host, Kelvin Prescott – Head of Presales at O2 Business – quickly put minds at rest. The audience would be hearing from a cross-section of experts, he said. And one of the key themes would be the human factor. As Kelvin explained:
“All the investments in technology do not matter if they do not have an impact on people.”
It was an issue that Jo Bertram, O2’s Managing Director of Business had touched on earlier in the day:
“We need to protect the valuable data we all have.”
And the human factor was something that the expert panel of speakers returned to again and again. As the following key lessons from the day demonstrate:
1. Focus on the basics
“Cyber security isn’t sexy, or Earth-shattering, but it is necessary,” whg’s CIO, Zoe Larter, began.
“I get more specs from my daughter’s Lego sets than from some vendors.”
Just one of the myriad issues facing organisations of all sizes according to Zoe. Her talk highlighted the challenges of working with limited resources. And how you can still get on top of cybersecurity.
In Zoe’s experience, it felt like some vendors were constantly scaremongering. They were selling on the fear factor alone. The specs for their ‘solutions’ were often vague. And the prices were eye watering. So how did Zoe and her small team find the right way to tackle cybersecurity?
They focused on getting the basics right first by:
- Building up a risk map to identify vulnerabilities;
- Following a health check to understand what wasn’t working;
- Developing their own cyber roadmap – a living document for change; and
- Creating campaigns that got more people to own cybersecurity too.
What did Zoe learn from this approach?
“To stay strong and avoid the scaremongering of vendors. To ensure the foundations are in place. And to trial solutions while building good relationships with vendors.”
2. “The best a CISO can be is a goalkeeper.”
A great line (one of many) from Luis González, Strategy Director of Eleven Paths –Telefónica’s Cyber Security Unit.
His review of how AI and blockchain could solve cybersecurity challenges was punctuated by a series of ‘Who Wants To Be A Millionaire’ style questions. The answer to the following question drew the most gasps:
Q: What is the cost of the average data breach in the UK?
- £1 million
- £2.7 million
(You don’t need to phone a friend though. The answer is C. £2.7 million!)
Following Zoe’s earlier presentation, however, the most instructive question and answer was:
Q: What % of data breaches are caused by human error?
The answer is a massive 88%.
And that’s why Luis said CISOs are often regarded as goalkeepers. At best they make lots of saves. But every now and then something that someone does is going to slip past. However, Luis did have two ways that tech companies can support CISOs in their defensive duties:
- Provide dynamic risk management – giving CISOs the capabilities to react in real-time and stay business focused.
- Train the next generation of talent – looking ahead to future needs and ensuring colleagues are ready for the next type of attack.
3. Stay ahead of the technology curve
Next, the audience was joined by CISO, CTO, policy author, and all-round cybersecurity expert, Fredrik Hult. Currently the Global Cyber CTO for the whole of Santander (a bank of some 230,000 employees), Fredrik joined Kelvin on stage for a noteworthy Q&A. Given there was plenty to discuss, here are just a few highlights from the session:
How do you build customer data confidence?
“More transparency, less jargon and by showing that technology can be trustworthy.”
What has the most potential to boost confidence and/or data protection?
“The guiding principle should be to move to new tech. Old tech is very difficult to defend. So get off legacy and onto new platforms with security built in.”
What do you worry about most and what should we be looking out for?
“Deep fakes that can undermine the digital interactions that businesses rely on to build trust. And teenagers with the cyber equivalents of RPGs. While government or criminal attacks often have clear motives, young hackers rarely do.”
What are the key objectives you would set for a CISO?
“Stay close to technology. Knowledge of governance, risk or compliance is helpful. But technology should be the CISO’s area of expertise.”
Embracing technology and educating people on the use of technology was a key takeaway from the Q&A and nicely set up Tracey Jessup’s talk about getting the message across.
4. Communication is key – your people are your best defence
‘Guy Fawkes: Today all he’d need is a computer.’
This was the strapline that made MPs sit up and take notice of cybersecurity. (People even pinched the posters!) Such was the impact of Tracey Jessup’s cybersecurity awareness campaign for the Parliamentary Digital Service.
However, CIO and Managing Director Tracey explained how her clear and concise cybersecurity initiative was actually interrupted and amplified by a sustained and determined attack.
“It was 2017 and right after a snap General Election. We discovered that the entire IT system covering Parliament was faced with a brute force attack.”
It got so bad that Tracey’s team took the unprecedented decision to block all users from their accounts. Thankfully, they had the weekend to put things right. On Monday morning, when MPs and many of Parliament’s other 9,000 users returned to Westminster to work, everything was in place to get them up and running again.
So what lessons did Tracey take from an attack of such size and scale?
“It wasn’t just technical controls we needed. It was awareness and people taking responsibility for staying secure.”
Posters with the slogan about Guy Fawkes were just the start. There was collateral designed to make people think, such as travel toothbrushes with the slogan: “You wouldn’t share your toothbrush. Why share your password?” There was a Cybersecurity Month with guest speakers from major services that many people use in their personal lives, such as Facebook and Google. And interactive information sessions tailored to the different kinds of people working across Parliament.
According to Tracey, it’s all about keeping people interested.
5. Cybersecurity or trust?
Sergej Epp from Palo Alto Networks encouraged business attendees to think a little differently. As he explained, trust is something that dominates our thoughts. But it’s often unrelated to security. For instance, some people’s fear of flying may be because they don’t trust airlines. In spite of their good safety record.
This same bias exists when evaluating new technologies.
“People don’t trust the tech of tomorrow because they might be impacted by cybersecurity. It means we have to change how we do cybersecurity so that it’s ready for the future.”
Sergej gave the example of public cloud. After years of concerns raised over public cloud security, people still don’t fully trust it. Yet, according to Sergej, public cloud has been built to be highly secure. Issues arise when users configure it incorrectly. So trust and cybersecurity are two different things.
But when an organisation overcomes its fears, not only can it see that a technology is cyber-secure. It can see that it’s trustworthy too.
If you remember only this…
This busy Cybersecurity session concluded with a quick-fire Q&A featuring all the speakers and O2’s Head of Security Ops, Heather Turner. Before everyone headed back to the main arena, there was just time for Kelvin to wrap things up.
Here were his top five takeaways for businesses of all sizes:
- Do the basics first – focus on policies and passwords.
- You can’t do it all – so build cybersecurity partnerships with others.
- Getting off legacy is actually a security strategy – modern systems improve your security posture.
- Think about where your cybersecurity investments go – should it all go on tech or is much of it better spent on user education?
- We’re moving into an age where trust and verification are crucial – but it will require a shift away from the language of fear.