Imperial College London

What keeps Chief Information Security Officers up at night?

by

Round table discussion

The I-Hub at Imperial White City was recently visited by a set of large global companies for a round table discussion on cyber security.

The event was hosted by Inogesis and sponsored by The TÜV Rheinland Group. Professor Deeph Chana represented Imperial College London at the table.

When large corporations worry about disruption, they’re usually thinking of innovative start-ups stealing market share from under their noses.

But another form of disruption that companies should worry more about, according to Chief Security Officers at some of the world’s largest companies, is caused by cyber security threats.

Companies are increasingly direct targets or collateral damage to threats coming from criminal bedroom-hackers and hostile nation states, be it for fun, for profit or for geopolitical gain. Large, bureaucratic companies can’t always keep up with the rapid technological development in security, leaving them vulnerable.

Only recently, Norsk Hydro, one of the world’s largest aluminium producers, was hit by a cyber attack which caused plant outage and a dive in share price. 

This is what keeps a lot of Chief Information Security Officers (CISOs) up at night, and why Imperial teamed up with Inogesis to host a Security Forum. The event was a candid discussion among senior executives and government representatives to share what troubles them and how they are responding.

Some common threads emerged that underscore both the issues and the potential solutions.

A major concern for all around the table was the threat to the Operational Technology, OT, which keeps factories, logistics centres and fulfilment depots ticking over. The computers and hardware that make up OT are increasingly connected to the internet, which brings huge efficiencies, but leaves them vulnerable to cyber security threats.

When a cyber attack strikes, as the Norsk Hydro incident shows, output from OT-driven facilities can grind to a halt causing ripples up and down the entire supply chain.

So how can organisations try to secure themselves against these threats?

One word came up time and time again in the discussion; culture.

Security needs to be a part of the culture of organisations, not something that is only considered by the security team. But how do you get employees to be security-conscious?

One company said they had regularly sent out communications to staff around the cyber threats they were facing, and included statistics on the number of reports they received. This had led to an increase in the number of incident reports being sent in, which shows that employees were taking it seriously and feeling involved.

Another company had already taken this a step further, and had regular cyber attack drills with an established play book. Fire drills are an expected part of every organisation, and so why can’t cyber drills be as well?

All companies agreed that messaging was crucial to getting buy-in from the everyday employee, and a core aspect of this is to remove the fear of feeling stupid if you get something wrong, and the feeling that your input is in insignificant.

A fresh idea floated was to have employees come and shadow the security team for a short time, to learn about the threats, and meet the people behind securing the organisation.

Another of the major themes that emerged in the forum was the perception of risk, and how security culture often seems to clash with business culture.

For digital technology and hardware companies there is a race to market, and the attitude that the best way to test a product is to put it into the hands of the consumer. This means that security is a trade-off, with the risk not given due concern.

And this can be a major issue at the board-level. The boards of companies are concerned chiefly with financial performance, and don’t necessarily want to hear about something they believe to be purely technical risk. It is essential for CSIOs to be able to translate the threat from cyber into business risk. The Norsk Hydro incident again is a case study in how cyber security absolutely is a core business risk.

At one of the companies present, this work is already underway through the development of a cyber risk management tool. For OT, it is relatively easy to put the risks into monetary terms for the board, by correlating risks to down time in operation. It is not quite so direct for information security risks.

One thing that everybody around the table agreed was that cyber threats were not going away, and only stand to get more serious as the cyber and physical domains merge.

The round table was as important starting point however to solving the growing challenge. Providing a forum for those in charge of security to share problems and solutions can help everyone involved, and a second forum is planned for very soon.

Reporter

Duncan Swinscow-Hall

Duncan Swinscow-Hall
Institute for Security Science & Technology