At the inaugural Telstra Cyber Security Forum, held in Sydney, Australia, the reality of ongoing vulnerabilities in major systems was met with a call for a new approach to security risk management and incident response.
Security vulnerabilities show no signs of going away
During the recent Telstra Cyber Security Forum in February 2016, Andrew France, the former deputy director of GCHQ (UK) and now strategic advisor to the Wynyard Group, highlighted the lack of progress that has been made in producing software without vulnerabilities, either during creation or subsequent modification.
Analysis of CERT data on significant vulnerabilities over the last decade indicates that there has been no significant reduction in Common Vulnerabilities and Exposures (CVE) reports – despite the significant funds and person years of effort that have been put into various initiatives such as "secure coding." Although such efforts are certainly worth continuing to pursue, security vulnerabilities are a bit like the common cold: they have always been with us and always will be with us despite what we do – the trick is to "not let them develop into pneumonia," as Andrew put it.
The forum coincided with the release of Telstra's annual Cyber Security Report for 2016, which provides a keen insight into the company's security experience, both internally and from its extensive customer base. The report is freely available for download and is recommended reading for C-level executives and their direct reports – whether they are directly involved in cybersecurity or in due diligence on business risk management, which is an increasingly important part of the responsibility of all corporate leaders.
In fact, organizations that have transitioned to thinking of cybersecurity as a business risk to be managed across the organization, rather than a purely technical function, tend to have a better understanding of their cybersecurity posture and are better positioned to handle incidents. In addition, there is ongoing debate as to whether stacking boards with technical "uber-geeks" to handle technical issues is actually counterproductive, because it can lead to the propagation of the view that cybersecurity is the responsibility of the "boffins."
Of course the biggest challenge is to communicate complex issues to non-experts without descending into jargon and acronyms. A simple model, used by Telstra internally and in security discussions with its clients, consists of five "knows," advising that organizations should
know the value of their data
know who has access to it
know where it is
know who is protecting it
know how well it is being protected.
These considerations are applicable to any organization in any industry and provide a simple, non-technical framework for boards and senior executives to gain a clear understanding of their risk profile.
"Reducing the security perimeter can minimize risk and improve the user experience," IT0007-000812 (April 2015)
Telstra Cyber Security Report 2016. Available from http://exchange.telstra.com.au/2016/02/23/telstra-cyber-security-report-2016 [Accessed February 24, 2016]
Al Blake, Principal Analyst, Public sector