One of the most pressing issues the event covered was how to operate in an evolving cybersecurity landscape. In the current environment, uncertainty makes trying to implement a static cybersecurity strategy as viable as building a castle on quicksand.
Instead, the speakers looked at how adaptability, agility, and proactiveness are keys to ensuring security when everything is changing.
Day 2 opened with three talks on practical steps that organisations can take to improve security. We heard from Managing CISO Jordan Schroeder, Photobox Lead Security Engineer Sonya Moisset, and NatWest Technology Security Manager Ceri Jones.
When faced with a chaotic cybersecurity landscape, Schroeder argued it is best to take a proactive approach. New threats need to be identified and appropriate measures taken before they impact operations.
Schroeder noted that scaling up operations is easier said than done – there comes a point where old solutions are no longer viable. When dealing with a linear problem, linear solutions work best – as the problem grows, the resources needed to tackle it grow.
However, in a chaotic environment, where problems adapt to attempts to solve them, that level of process-driven thinking does more harm than good. Instead, a non-linear approach is needed, the better to find new solutions to new problems.
As such, keeping people at the heart of a cybersecurity strategy is necessary for a scalable and resilient strategy. Since humans are by nature adaptable, they can react to new threats better than a flow chart.
Schroeder’s argument was that security professionals must become comfortable operating in uncertainty. And to scale operations, he said to “automate what you should, collaborate on the rest, and learn to tell the difference”.
- Scot-Secure 2021 | Resilient cybersecurity with Managing CISO Jordan Schroeder
- Leader Insights | Finding Scotland’s growth mindset with Les Bayne, former MD of Accenture in Scotland
In her talk, Moisset discussed some of the practical tools that groups can use to keep CI/CD pipelines secure. In terms of scaling cybersecurity operations, she noted that there is a wealth of open-source resources available on sites like GitHub.
This allows organisations to leverage the expertise of an entire community to create security solutions. Not only does this help to develop best practices, sharing insights helps everyone better understand new threats and new solutions as they emerge.
However, technology is only as good as those using it. In her talk, Jones looked at the role of language in effective security engagement. If security is everybody’s business, then ensuring that a highly technical and specialised subject is well communicated to every worker in an organisation is often the difference between good and bad security habits.
This is especially true in an evolving threat landscape, where staying abreast of the situation leaves little time to communicate the situation to others.
The essence of security communication touches on the need to move away from rigid and process-driven thinking. There is more than one way to approach security, and a linear attitude to communication fails to understand this.
In the end, good security communication is whatever helps people be more secure.
During the Session One Q&A, the three speakers noted that since adaptability is the key to resilience, dictating security norms is not the right solution. You need to ensure that the people are taken into consideration.
Privacy and Security
The second session touched on the importance of privacy and security in the digital age. It explored how to align both concerns, and how to ensure personal data is protected in the age of ubiquitous computing.
In this session, Lecturer at Glasgow University’s School of Computing Science Mohamed Khamis, Privacy Lead at Strauss Coffee Cristina Costache, and ORG Policy Manager Heather Burns gave talks.
Khamis noted how the march of technology is bringing down the cost of tools. As the buy-in cost, in terms of money and also skill, decreases, the number of actors who can enter the field increases.
A proactive approach is necessary to identify how new or existing technologies can be adapted to pose a threat.
One of the threats this poses, Khamis warned, is that new devices come with a range of sensors – cameras, microphones, GPS, etc. Furthermore, the shift to remote working and learning means that we are using our computers to record ourselves more than ever. This increases the amount of data an organisation creates, and potentially stores.
- Scot-Secure 2021 | Cultivating sustainable cybersecurity practices
- Contributed | Diversity in AI with Hannah Marcus, Discover.ai
However, balancing privacy when using new technology can be tricky. There will always be a trade-off between security and usability. And where security impinges on usability, inevitably, people will stop acting securely. If security doesn’t work for people, it doesn’t work.
Costache delved into some of the legal frameworks surrounding privacy and how they impact on cybersecurity. With GDPR firmly connecting security privacy, it is vital that companies ensure that any data they hold is adequately protected.
She noted how most data protection fines leveraged under GDPR came due to insufficient technical and organisational measures to ensure information security.
Burns noted how privacy rights must be fully incorporated into technology and processes. Privacy nowadays is not an additional consideration, but something that must be embedded at the heart of operations.
Too many companies, she warned, use privacy policies that focus on protecting themselves, rather than users. However, with increased awareness and scrutiny of data usage, privacy must respect the rights of users.
What the Future Holds
In the final session, the speakers examined how the industry needs to prepare for the future – this involves ensuring that there are enough skilled, cybersecurity workers to respond to the increasing demands upon the sector.
Chris Green, Head of Communications EMEA, (ISC)², delivered an initial talk where he looked at some of the key employment statistics in the cybersecurity sector. With around 3.5 million cybersecurity professionals around the world, the workforce has seen significant growth in the last few years.
However, there remain serious gaps in the talent pool. Green estimated that the UK alone is facing a shortfall of around 27,000 jobs. Worldwide, the industry needs over 3 million additional cybersecurity staff; growth of around 80%.
For the Q&A section, Green was joined by Prof. Bill Buchanan OBE, Professor at the School of Computing at Edinburgh Napier University, SDS Digital Technologies Sector Skills Manager Claire Gillespie and Mahbubul Islam, CISO, HM Courts & Tribunal Services & Director at The Security Institute.
Together, they discussed how cybersecurity skills are changing. Due to the impact of the coronavirus, more resources are being put into cloud-based infrastructure. As such, skills are needed to manage the distributed nature of operations.
- Scot-Secure 2021 | Your business through the eyes of a hacker
- Leader Insights | Humanise cybersecurity with UKCSA CEO Lisa Ventura
Due to the nature of the security industry, there is wide breadth of jobs available, each with a different skillset. “This is an industry where there’s a job for everyone,” said Buchanan.
The sector is also facing the double problem of a skills gap and unfilled jobs. While multi-skilling provides a short-term solution, it is not a sustainable approach. Ultimately, being that the sector currently sees almost 0% unemployment, it offers a tempting area for new employment.
Professor Buchanan delivered the day’s closing keynote, where he explored encryption and cryptography and their role in cybersecurity.
Cryptography is the basis of many areas within cybersecurity, both for protecting data and as a weapon used in ransomware attacks.
While encryption is a powerful tool for keep data secure, not everyone is happy with it – governments and law enforcement want, and in many cases need, access to sensitive data.
The truth of the cybersecurity situation is that it will never grow static. Threats are always in flux and solutions will come and go. It is ensuring that security can react to these changes that will keep organisations secure.