Security Panel – The Cybersecurity Show – S1Ep7
NAYOKA OWARE [00:00:29] Hello and welcome to episode seven of Security Panel brought to you by Celerity. I’m Nayoka Oware and today I’m joined by guest Fran Howarth, who is the senior analyst of security at Bloor Research. Today, we will be discussing cyber security and the modern enterprise. Fran, welcome.
FRAN HOWARTH [00:00:50] Thank you Nayoka and thank you very much for having me.
NAYOKA OWARE [00:00:51] You’re absolutely welcome. How are you doing?
FRAN HOWARTH [00:00:54] All the better for being here.
NAYOKA OWARE [00:00:56] Good. Wonderful. Tell us more about your job role and what it entails.
FRAN HOWARTH [00:01:00] I head up security for Bloor research. We are an independent European research and advisory firm and we look a lot at how new technologies are impacting enterprises. Digital transformation transformation is one thing that almost every organization is at least looking at, but we find too much that they are looking at it as a one off project. So we developed the term mutable because it is something that is continuously developing.
NAYOKA OWARE [00:01:30] Okay.
FRAN HOWARTH [00:01:31] And one thing that sets us apart is that most of us have been practitioners either from the I.T. side or the business side or both.
NAYOKA OWARE [00:01:39] Wonderful. What is your current appraisal of the cyber threats facing organizations today?
FRAN HOWARTH [00:01:45] It’s pervasive. It’s really as every organization has to worry about it, whatever their size, whatever their industry. And it’s very, very personal. Phishing is probably 95 percent of the way that hackers get into the organization. And there’s more social engineering attacks. It’s kind of blurring the lines between insider attacks, which have always been there, whether malicious or inadvertent. And those from external attackers who are looking to to get a foothold in the organization and get credentials that allow them access to very sensitive information. And one further thing that is really plaguing organizations at the moment is that third party suppliers are increasingly being used as a conduit into organizations. If you think of catering staff or maintenance people, a hacker may well try to get into an organization through credentials or even getting a job. So it’s not just within the organization, it’s anyone who’s connected with it.
NAYOKA OWARE [00:02:53] OK. Would you say that there are any other significant security challenges businesses should be aware of?
FRAN HOWARTH [00:02:59] Well, one thing that’s been around for a while and that really is coming to the forefront even more now is the challenges involved with regulatory compliance. GDPR is talked about a great deal. It hasn’t really shown its teeth yet. There haven’t been any really major fines apart from one from Google. But that’s that was to be expected anyway. I think that there’s been a backlog. The regulators and the local authorities, in terms of data protection, haven’t really known what their role was or being prepared. And I think we’re about to see that have teeth. And it’s also been shown that other countries around the world and jurisdictions are looking at GDPR and thinking, well, we need to protect our own citizens. And this goes hand in hand with best practices that really are if you can show to your customers and stakeholders that you are adhering to the best practices and guidelines that are available, then you will instill confidence. And I think these are really impacting security and the way it’s seen.
NAYOKA OWARE [00:04:07] Do you have an idea or a suggestion of what this practice could be implemented?
FRAN HOWARTH [00:04:12] Well, here in Europe, we very much use the ISO 2 7000 series. 2 7 0 0 1 is is a standard really that you get certified on and 2 7 0 0 2 is slightly less. It’s a framework, but it’s certainly a good place to start.
NAYOKA OWARE [00:04:31] Okay. And how are these factors affecting security frameworks and controls?
FRAN HOWARTH [00:04:37] Well, within organizations, the frameworks really need to be modernized because there has been a huge emphasis in the past as to what’s happening on premise in organizations, but the perimeters of organizations have all but disappeared. You can see this just in the proliferation of mobile devices which are everywhere. But now it goes out much further, cloud and I’m not just talking private or public. Hybrid cloud where it’s also connected to on premise. And we’re going out into the Internet of Things and industrial networks. And all of these are now connected into the organization in various ways that they weren’t before. And this is really expanding the role of security and the need for it beyond the organization’s own premises.
NAYOKA OWARE [00:05:31] What are your thoughts on the role of security as part of an organization’s journey to digital transformation?
FRAN HOWARTH [00:05:40] Well, I think too often the security people and executives in an organization still don’t really have the clout that they need. And I’ve heard a lot from security executives that they are often the last to know what’s actually going on with digital transformation. Like one of them told me recently that it was only after they had been pitching for budget that that they were told we’re actually going on a cloud first route and they haven’t been told that at all. Otherwise, they would have completely changed the way that they were thinking about security.
NAYOKA OWARE [00:06:19] Of course, thank you for sharing that. How important is the concept of secured by design when talking about digital transformation?
FRAN HOWARTH [00:06:29] It’s a concept that I know best for the construction industry and the UK police in particular has taken on board. It is so much easier to design a building with windows and doors and everything else in place so that it’s secure. But that is that is building something new. You can’t build that retrospectively into a building and I think is the same way as we see within organizations. They have so much legacy. If you’d like to call it in place that really you cannot go back and put technology into that. I’ve only seen one organization recently that really is able to take it from the start and build it in. And that is a greenfield hospital in Abu Dhabi. And the guy who’s in charge of security there had a complete blank sheet in order to build security. And I think it’s very difficult to do that. And I look at the perennial problem we have with application security. It would be ideal if security were built in from the design stage and with all the lifecycle of the application right through to production and, you know, continually renewing it and having a look at it. But that’s just really doesn’t happen. And I think the same thing is really happening in the digital transformation space.
NAYOKA OWARE [00:07:52] Why don’t you think it’s happening? Is it difficult?
FRAN HOWARTH [00:07:55] It is far too difficult, especially when you’ve got so much in place already. And there’s also often not one executive in charge of security with enough voice to really convince the board that security is a risk that is as important as any other risk that the business faces. Financial risk, operational risk, legal risk, security risk. If a firm can go out of business, if its reputation is tarnished to such an extent and the financial losses can be enormous. But too often the board will focus on what is driving revenue in the organization. And security is not seen as a revenue driver. It’s seen as insurance. And it unfortunately still is often seen as that. And okay, it can be it can cut costs, but it’s not really seen as valuable as some of the other things.
NAYOKA OWARE [00:08:54] Those some really good points. Do you think the adoption of secure by design will happen naturally within organizations?
FRAN HOWARTH [00:09:03] I think that it’s come into the consciousness much more with GDPR because it actually specifies privacy by design and default and therefore you look at security by design and default, and I think that for some people this may be the first that they’ve actually realized that. They really have to pay more attention to this no matter how difficult it is. And so many more organizations are data centric that every organization is data centric. So you’ve got to look back. And if you cannot do your legacy in at least design the processes around your sensitive data and the identities access rights, who is doing what and with what. Because this is what you’re going to be judged on. And I think that that gives organizations a chance, even if they haven’t got security by design to start at least from perhaps the halfway point and then build it in.
NAYOKA OWARE [00:10:05] Thank you for that. What are your thoughts on the role of security within the enterprise ecosystem?
FRAN HOWARTH [00:10:12] I think I’ve already rather alluded to that in that security is not taken seriously enough. Now, in the past years, we’ve seen the CISO the chief information security officer come in as a role. Not every organization has them. It’s primarily the larger organization. But unfortunately, too often they do report to the CIO. And the CIO has a wonderful job to do in terms of making things happen, keeping the whole place running and make sure people have the tools that they need to do the job. But they don’t really want the pesky security executive coming in saying no because security is too often associated with no. So what is required is more of a direct reporting line into the board. And I’m seeing more often it’s going through the finance officer and perhaps the risk and legal officers, whereas I actually like to see the CEO take more of a role. There is one caveat to this, and that is boards are putting in more specialist non-executive directors who do have some of the knowledge that the board may not have. And they are becoming very, very useful within organizations.
NAYOKA OWARE [00:11:26] Based on what you just said, do you think it’s beneficial to have a CISO organization?
FRAN HOWARTH [00:11:32] Yes. If they’re given the power, but they see too many stories of CISOs that are burnt out because they trying very hard and they’re just not taken seriously enough. Now, one of the things that has to change in order for this to happen is for the CISO to be empowered to actually have more of a say, to be able to explain in business terms the risk and the value that they’re bringing.
NAYOKA OWARE [00:11:59] Fair enough. What changes have you seen in the role of security executives during your time working in the security arena?
FRAN HOWARTH [00:12:07] Well, I think that just largely comes from where I’ve just been. What I do see is that rather than being just a technology oriented executive, they now are coming with a more business view to it. And that is very useful in talking to the board and being able to explain the value of the security technology will bring to the organization as a whole. In order to be able to describe why the budget is going to help overall.
NAYOKA OWARE [00:12:38] Lastly, Fran, do you have any advice for viewers watching this show?
NAYOKA OWARE [00:12:42] Focus on value. Focus on business value. There’s been too many point products. Any security executive I talk to says we have too many vendors, we have too many products. They don’t integrate. We need things that really work. And they work seamlessly together and they provide real value and know what your suppliers are doing because they are security risk, but they also bring value by themselves.
NAYOKA OWARE [00:13:14] Thank you so much for you time.
FRAN HOWARTH [00:13:15] Thank you.
NAYOKA OWARE [00:13:16] Fran, it’s been an absolute pleasure talking to you. But unfortunately, that’s all we have time for.
FRAN HOWARTH [00:13:20] Thank you very much.
NAYOKA OWARE [00:13:21] You’re absolutely welcome. We hope you’ve enjoyed this discussion just as much as we have. Join us for another episode of security panel next time. I’ve been Nayoka Oware. Thank you for watching.