Discussion Summary

Information Security in the Digital Economy

Introduction

A gathering of information security leaders took place recently at the Royal College of Surgeons in

London, hosted by HP and FireEye. Perspectives from a variety of industries were shared in respect

of the growing strategic importance of security, both prior to and post breach.

This paper provides an anonymised and aggregated overview of the points raised and makes

recommendations on how organisations can be proactive in respect of security management.

Where are we?

Looking first at the current situation. Technology advances and increased interconnectedness are

conspiring to raise the spectre of security breaches. So much so that it is now a boardroom issue.

Sony, Target, The US Office of Personnel Management and Ashley Madison come to mind.

For unscrupulous actors and even nations, it is easier and cheaper to steal the intellectual property of

others rather than invest in one’s own research and development. Big and innovative organisations

are attractive targets. Corporations, organised criminals and governments are amongst the

perpetrators.

Identity theft is on the increase. As is identity exposure (Ashley Madison). The former can be

financially expensive, the latter can be emotionally devastating.

It is generally recognised that perimeter security is no longer the focal point of information security.

Could it get worse?

From an information security perspective, it is far from a steady state. Threats to organisations and

nation states are significant and evolving. Breaches are accelerating in terms of sophistication and

impact. The increasing clock speed of business is not helping. ‘Fast and loose’ is becoming

necessary to stay competitive, putting more pressure on the security architecture. Plus young people

are less diligent in respect of privacy and this inadvertently creates hacking opportunities. Increasingly

the value in organisations comes from creativity. Creative people tend to be process averse, and as

such they will increasingly be a security risk.

Governments, corporations and organised criminals know the value in your data. Plus they see your

IT infrastructure as the access channel. Many organisations are unaware that they have been

breached. The average detection period is over 200 days after the initial breach. High profile cases

have durations of seven years, such is the growing sophistication of the hackers. Unfortunately there

is a correlation between ensuing damage and the period prior to discovery.

The ‘hacking industry’ is very mature with an already established collaborative ‘supply chain’.

Specialist organisations will focus on acquiring data or creating a ‘backdoor’ without any specific goal

other than to sell their work to other parties who do have a specific agenda in respect of the

compromised organisation.

It is also increasingly likely that the threat is on your payroll. The increasing trend towards the use of

freelancers will compound the problem, as the transient profile of the workforce provides ideal

conditions to operate from within the target organisation. The risk posed by a malicious insider

cannot be overestimated.

Discussion Summary

Poor, and increasingly digitised, processes and the associated inter process design creates

vulnerabilities. And when the inevitable attack takes place the current lack of international

coordination in respect of threat response impedes the response.

As well as using ‘insiders’, suppliers can also provide soft entry points. Attackers appear to be patient

and so are willing to play a longer game. Hybrid attacks, made up of internal staff working with

external agencies, are also on the increase.

Hackers are getting more sophisticated building malware into the tools used to develop application

software. ‘Zero day’ attacks are on the rise, so the question is not whether you will be attacked but

how quickly you can respond to the inevitable. The proliferation of user devices coupled with the rapid

advances in personal technology increases the associated risks. Once in, the hackers are very

opportunistic. Vulnerabilities can be exploited within seconds of the opportunity arising.

At the same time, the traditional trade craft of hackers is still a threat. Capitalising on human nature,

by exploiting publicly available social network data through spearphishing is a popular, simple and

effective way to compromise organisations.

To thwart security management, hackers are increasingly embracing counter forensic practices to

cover their tracks.

Skills wise, there is a shortfall globally in the level of security expertise available to help organisations

counter this challenge themselves.

What are the implications?

The upward trend in exploits and exploitation methods is having serious repercussions on the victims.

These include:

Damage to corporate brands and the share price.

Senior executives are being sacked and even being sued personally.

Cultural breakdown as staff wonder whom of their colleagues is not to be trusted. In nationally

diverse cultures where some foreign nationals can be levered by their governments, this will

be more acute.

Massive strategic redirection. A focus on upcoming IPOs can, with one breach, shift towards

how to wind down the organisation with minimum damage.

Legal costs. Compromised security is a cash cow for lawyers. A poor response can prove

very costly.

Comprised organisations often, incorrectly, blame their security experts, and consequently

lose their security talent, leaving the organisation even more exposed.

What can we do?

The perfect scenario would be to model your business on the former Alcatraz prison, highly

compartmentalised with minimal access to the outside world. But unfortunately such a model would

result in a strategic tailspin in the digital economy. Nonetheless you can still take pragmatic action to

avoid / minimise the associated of being compromised.

Here are some recommendations:

Recognise that threats are inevitable and that it is quite possible that you are currently

compromised.

Be fully compliant in respect of your industry’s expectation. But understand that compliance is

unlikely to suffice in respect of eliminating security threats.

Asset management is critical coupled with an overarching security framework.

Focus on securing the content rather than securing the end points. Classification

management is important, though do so in such a way that does not make the hacker’s life

easier.

Discussion Summary

Educate the boardroom in respect of information security management. This means they

must be cogniscent of the risks and the appropriate level of cultural, process and technology

investment required. Be clear on who owns the response once the threat is detected.

Educate all stakeholders including the staff, supply chain and customers as to the threats and

necessary security policies and behaviours.

Develop a security architecture that compartmentalises the threat and is sensitive to

anomalous behaviour.

Ensure the basics are in place, such as encryption, strong access control and identity

management.

Your security plans need to take into account immediate, near future and over the horizon

timeframes.

Regularly review the actors who would be interested in compromising your business.

Consider both the why and how.

Be clear on attribution before launching a counter offensive.

Understand that in the fog of war, strong leadership is required. As is a well-rehearsed

response plan.

Understand that in the fog of war, the manner and extent to which you communicate the

threat to the public will determine the associated fallout.

Develop a business intelligence approach that enables prediction of likely attacks.

Conclusion

The hackers are increasingly organised and state sponsored. A proactive approach to security will not

necessarily make you watertight, but it will minimise the associated damage.

This is a boardroom issue, and thus it presents an opportunity to increase your boardroom relevance.

Security is not a department but part of the organisational fabric that embraces both infrastructure and

people.

It also presents an opportunity for your organisation to turn the security investment into business

value. Robust security governance, including a well-drilled response plan, pleases analysts and

investors. It strongly contributes to the levels of trust between your organisation and its suppliers,

customers and staff. In short it becomes part of your brand promise.

Ade McCormack

www.ademccormack.com

About the author

Ade McCormack is a near futurist, digital economy advisor, keynote speaker and author. He is a

columnist with CIO magazine, and a former columnist with the Financial Times, focusing on digital

leadership.

His experience extends over three decades and almost thirty countries across many sectors. He has

written a number of books, including one on the future of work (Beyond Nine to Five – Your career

guide to the digital age). He has also lectured at MIT Sloan School of Management on digital

leadership.

For more information on Ade, please visit www.ademccormack.com.

About HP

HP enables organizations to take a proactive approach to IT security, disrupting the life cycle of an

attack through prevention and real-time threat detection. With market-leading products, services and

innovative security research, HP Security brings a global network of security operations centers and

more than 5,000 IT security experts to help customers strengthen their security posture to minimize

risk and incident impact. HP creates new possibilities for technology to have a meaningful impact on

people, businesses, governments and society. With the broadest technology portfolio spanning

Discussion Summary

printing, personal systems, software, services and IT infrastructure, HP delivers solutions for

customers’ most complex challenges in every region of the world.

About FireEye Inc

FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time

threat protection to enterprises and governments worldwide against the next generation of cyber

attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based

defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat

Prevention Platform provides real-time, dynamic threat protection without the use of signatures to

protect an organization across the primary threat vectors and across the different stages of an attack

life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic

threat intelligence, to identify and block cyber attacks in real time. FireEye has over 3,700 customers

across 67 countries, including 675 of the Forbes Global 2000.