Navigating new cyber threats, the rise of ransomware and how to report to the board. These were just some of the key themes at Infosecurity Europe 2022 that captured our attention. Here’s what we took away from a few of the keynotes.
Lieutenant General Tom Copinger-Symes, Deputy Commander, UK Strategic Command kicked off his keynote with a topical speech on how we might tackle cyber threats in the current, tumultuous security landscape.
According to Copinger-Symes, “the alarm went off years ago, we’ve just been pressing snooze.” However, the Ukraine crisis is a wakeup call. The ubiquity of technology means that state and non-state actors have a compound effect in shadow warfare. Ambitious, brazen and with a high-risk tolerance, these actors have increasing opportunities to operate across geographic borders.
So how do we combat both the above-and-below-threshold conflict? Copinger-Symes laid out the importance of “analysis, automation, and autonomy” as the three pillars of cyber defence. Analysis allows precision, automation means speed, and “autonomy provides mass”, irrelevant of the size of the workforce.
He also asked, “what are we doing about our digital foundation?”, explaining that cyber power starts with a strong digital bedrock. He stated his priority is nurturing skill and talent to develop a strong cyber strategy.” With the right talent, innovation, and integration, we can tackle impending security threats by continually strengthening our cyber defence.”
Kevin Jones, Corporate CISO at Airbus, discussed The Ransomware Paradigm Change, in particular, the shift from malicious links and downloads to a now professional economy with teams scanning and exploiting vulnerabilities.
Kevin mentioned it is not only large enterprises who are under threat but also the mid-market. SMEs that are critical suppliers to big enterprises are increasingly targeted as a means to get payments from large companies, as the attack impacts their supply chains and leads to discontinuity issues.
In the following panel discussion, Ransomware: To Pay or Not to Pay? Kevin spoke to Barry Coatsworth, Director of Guidehouse, and David Boda, CISO of Camelot, about the ethical and legal dilemmas involved with paying ransomware demands. They debated the ethical conundrum around the financial and reputational damage caused by paying or not paying a ransom, and about balancing the priorities of stakeholders and staff. They also discussed the benefits of working closely with regulators and cyber insurance providers for advice and aid in ransomware situations.
Paul McKay, Principal Analyst, Forrester, Jon Townsend, CIO of the National Trust, Sam Hart, CISO of Davies Group and Toks Oladuti, GD CISO, Dentons talked to the Cyber Security and IT Risks at the Board Level
The consideration of stakeholders’ priorities was also discussed in the panel discussion ‘Cybersecurity and IT Risks at the Board Level’. Jon Townsend, CIO of the National Trust, Samantha Hart, CISO of Davies Group, and Toks Oladuti, GD CISO of Dentons explored the challenge of engaging board members. The message was clear: understand what the board cares about, and tailor reporting to those goals. By thinking from the board’s perspective and using language accordingly, it is easier to communicate risk.
They also highlighted the challenges in communicating the effectiveness of one’s security posture, to both justify the investment and request more funding. They explained why it is important to frame the progress of mitigating risk in relation to brand and reputation and the value derived. Transparency in analytics is essential to support this.
These deep-dives into the most topical discussions in cybersecurity this year were a fascinating insight. What was clear across the board is this: ransomware is on the rise, the mid-market is a clear target and organisations must ensure they are better prepared. We will be exploring these themes further throughout the year, so keep an eye out for more of our blogs.