Humans and smart machines: A unified front to tackle growing cybersecurity complexity

Around the table: Vaughan Robertson, Beca; Kate Nikitina, Spidertracks; Chris Robb, Suncorp; Liz Cawson, Tower; Divina Paredes, CIO NZ; David Kennedy, Transaction Services Group; Nigel Stevenson, Kensington Swan; James Harper, University of Auckland; Tim Chaffe, University of Auckland; Andy Stewart, The Selwyn Foundation; Ryan Cotterell, ASB; Jacques Botes, Baycorp; Craig Columbus, Russell McVeagh; Julie Canepa, Cisco; Gerhard Nagele, Vodafone; Warren Seet, Auckland Transport; Jeff Brown, ASB; Jo Healey, IBM; Campbell Such, Bidfood; John Bell, Fletcher Building; Roger Wanless, Auckland University of Technology; Bernard Seeto, Southern Cross Health Society.

Concerted and collaborative are apt descriptions for leadership teams doubling down on their organisation’s digital transformation strategy. 

But a growing number of companies are also taking these approaches to defend themselves against the criminal syndicates behind the growing number of global cyberattacks, according to tech execs who gathered in Auckland recently for a roundtable discussion. The forum was sponsored by IBM and Cisco.

Jo Healey, IBM New Zealand’s General Manager of Global Technology Services, says cyber threats are constantly emerging and security teams will continue to struggle to contain them.

“Security [breaches] can have a catastrophic impact and sometimes you want to keep it within your four walls. But the most practical thing you can do is to reach out and get a broader insight of the threat landscape."

“I would challenge people to reach out to their partners and providers and find out some of the ways these companies are proactively planning to make sure they are aware of new security threats."

“There are so many data points now and having AI and cognitive solutions like Watson in the security space is how the good guys are going to win,” she says.

Shifting customer expectations

Chris Robb, Executive General Manager, Insurance Technology at Suncorp, says that customers are becoming more educated on the impacts that can result from the misuse of personal data.

“The majority of customers who share their information these days expect that organisations will have appropriate levels of technology, processes and investment in place to safeguard their data,” says Robb, who was CIO at AMP prior to his current role.

He adds that while cybersecurity is one of the top priorities for a CIO, the accountability needs to extend through to the supply-chain, be that a large cloud service provider or a small web hosting company.

“While technical controls are more binary or obvious to check for, through activities such as security pen testing, it is important to also have qualitative discussions with partners around their attitudes to protecting customer data,” says Robb.

“Asking open-ended questions to get them to describe their processes, attitudes, initiatives, employee awareness level are fundamental in understanding their risk culture and about how important security of customer data is to a partner.”

Becoming the cybersecurity thought leader

Craig Columbus, Chief Information Officer at law firm Russell McVeagh, says CIOs need to raise the profile of cyber security with top tier managers.

Columbus advises dropping the jargon first and foremost.

“Few board members want to hear the details of a buffer overflow attack,” says Columbus. “Instead, communicate your message using plain language, framed in relation to the business."

“Tell the board, ‘We have an untreated risk that could result in public disclosure of our sensitive client data’ instead of, ‘There's a new zero-day buffer overflow attack targeting Linux systems,’” he said.

Credit: CIO New Zealand

"Provide a straightforward and accurate assessment of the topic or situation. Neither minimise nor overstate the risk you are discussing", says Columbus.

“The board depends on accurate information when determining the best strategic approach to the situation at hand.”

“Speak up and be a thought leader,” he stresses.

Making strategic discussions

David Kennedy, Chief Information Officer at Transaction Services Group, adds that cyber issues at a board level are no different to any other compliance, operational, legal or strategic risk.

“We must ensure that we communicate all risks in a language that the board understands. Once it is treated like any other business risk it will receive the appropriate mitigation resources,” he says.

Kennedy says communication of cyber risk must be brought into the real world of possibility.

“We do this by using assumptions such as ‘historically, this has never happened before to any company in our peer group’ or ‘this risk is not listed by the reputable cyber risk expert forum OWASP’. It is only when you apply this common-sense approach that we will be able to productively prioritise cyber risk,” he says.

Kennedy says one trend across the globe is the commercial response to the growing cyber risk resulting in a plethora of security companies and information sources of varying quality.

He advises identifying true experts in the field and to follow their posts and communications.

Alternatively, Kennedy says Kiwi leaders can seek guidance from government departments that are actively trying to increase the level of cyber security knowledge across the country. They can also check onCERT, which has good basic and is trying to create information sharing among peer groups.

“With the phenomenon of ‘fake news’ we must create trusted information channels to corroborate stories we hear around cyber security,” says Kennedy.

“These could be individuals, security companies or government agencies and we must identify the ones that are most relevant to our business strategy in order to maximise value.”

“The most valuable contribution to security the executive can make is to include the ‘It’s everyone’s job’ message in their ongoing communications,” says Vaughan Robertson, group manager - technology strategy at Beca.

“When a non–ICT related leader trumpets the security message, it holds more persuasive power than when it comes from the CIO or CTO, who are seen as having a ‘barrow to push’,” says Robertson, “like the CMO banging on about the brand.”

“Incidentally, the simplest, most effective message from a non-ICT executive appears to be a warning to consider any request for user credentials as a red flag for double checking that the source is legitimate. This seems like a simple, pragmatic message that results in increased overall awareness of security by all users.”

Building a deeper bench of cybersecurity skills

"Spidertracks provides satellite tracking devices for aircraft, a product that is of value for providing peace of mind and saving lives," says Kate Nikitina, former CTO at Spidertracks..

“A cyberattack can cause product failure and customer data loss, which will lead to misleading information being generated by the system and fatal accident. We take it very seriously, and it is quite well understood by the leadership team and the board. Clearly, it is not just an IT risk anymore, but a risk for the whole business."

Nikitina says for any new feature being developed, her team always included security as a part of the discussion.

“Interestingly, we can see now that the security of product is becoming a market requirement, as there are many more customers these days understanding the risks and asking about the security of the solution,” says Nikitina, who had moved to a digital development role in another organisation.

Scaling cybersecurity defence

“We have to think differently about how we deliver security as companies move to digital, with their reliance on cloud technology, mobility and Internet of Things, and new styles of work like DevOps, sharing, integration and open platforms,” says Julie Canepa, Chief Information Officer for New Zealand and Australia Cisco.

These are outside the traditional parameters for security, she says, this is making the job for information security teams a lot different.

At the same time, there is increased legislation coming out such as GDPR and the mandatory breach notification, Canepa says.

“We need to elevate the conversation of security; everybody needs to, if they want to be a digital company moving into the future. They need to look at how to bring in an integrated architecture in the enterprise. We just have to be one step ahead of the criminals.”

“It is very difficult to manage security especially if you are using so many different vendors. We are seeing large industry vendors working closely together such as IBM and Cisco bringing the power of the two organisations’ security together."

She says the security partnership between IBM and Cisco allowed the two companies to look into their products and embed better security into these.

IBM’s Jo Healey says the value of this partnership was demonstrated during the WannaCry ransomware attack last year.

Researchers from IBM and Cisco coordinated their actions and exchanged insights into how the malware was spreading. Afterward, they continued the joint investigation to provide clients and the industry with the most relevant information.

Healey regularly meets with the executive teams and boards of IBM clients.

Part of the conversation is always about education, says Healey. “There is a real need to be able to help everybody in the organisation understand what their role is when it comes to security.”

She explains that IBM has a very comprehensive programme on cybersecurity that runs across the organisation throughout the year.

Staff have to constantly go and take online training, listen to webinars and attend seminars to keep just to keep themselves aware of what is going on.”

Cyber education is a continuous requirement for every organisation, she adds.

“There is a real role for every business leader to be able to take a conversation on cybersecurity with their people,” she says.

And this influencing role is not just limited to technology and digital leaders.

“It is about getting a comprehensive education message through the organisation,” she says. In a manufacturing organisation, for instance, it will come from the person who is running the robotics programme. Or, it could be the head of marketing and human resources professional.”

She also says organisations need to put plans in place for when a breach happens.

“You need to know who are the people that need to be informed. Just understanding and continually educating or having it as part of your business training is a fundamental requirement. It is a business priming organisation, not a technology or IT department conversation.”

Sharing context and intelligence

Cisco’s Canepa shares the internal security framework that is applied by Cisco across the globe, with their 75,000 employees.

Defending Cisco every single day is a big job, she says. The company deals with 1.2 trillion network security events, and inspects 45 terabytes of network traffic every day.

“It starts with being security aware across the entire company. It needs to be a boardroom conversation, it needs to be something the leadership team has bought into.”

We (Cisco’s Security and Trust Organisation) have built a security framework that everyone executes and lives by. “The business and service owners are accountable to these metrics.”

She says the framework looks at people, process, plus technology, and considers what to do before, during and after an attack.

She says everyone in the organisation uses the framework, which is informed by data analytics largely from Cisco’s Talos organisation which has 250 security researchers, and regulatory information based on what is happening in the world.

The framework has five components. The first is governance and operational excellence.

“We have privacy engineering within our products and our solutions. We do architectural reviews, we have processes and operations for handling vulnerabilities, as well as metrics and data for reporting and assurance,” says Canepa.

The next level, she says, is about people. 

The company organises campaigns throughout the year, including staged phishing attacks. “The human factor is the most unpredictable,” she says when it comes to cybersecurity.

“We can have the best technologies in place, but one of your employees can let you down and a vulnerability can enter into the company."

The third level is around validated identity. “We like to say identity is the new border,” says Canepa. “We want to know who you are, where you are, and what device you are using when accessing our network, and we will give the appropriate level of access based on this. We call this differentiated access.”

The fourth is about competent trust. 

“We have a certification process, so that we have trust in the resources before we let our employees use them.”

The final piece, she says, is data. “We make sure we understand the lifecycle of data, where it is created or destroyed, and whether it is in our private centre or somewhere else. We need to understand and have visibility of that.”

“Interestingly, we spend most of our time, resources and budget on the 5 per cent we can’t prevent,” she says.

This means the time to detection is important, she says. “We use data analytics to find out about vulnerabilities out there.”

She says that Cisco shares its security framework with other industry leaders, and pointers on how to raise and elevate the importance of security in the organisation.

“A lot of it is about operational rigour and discipline as well as baking security into the process,” she says.

“Have it at the beginning, at the design upfront, and not as an afterthought.”