There is no cyber risk without a threat or a vulnerability.
Q: LRQA is all about safety; what is more important for cyber security professionals to focus on - is it threats or is it vulnerabilities?
The way that we at Nettitude see the world is through a slightly different lens. We see threats, vulnerability, impact and likelihood all being ingredients of risk management. There is no cyber risk without a threat or a vulnerability.
I think our industry has historically focused extensively on vulnerability. Initially, that was on technology vulnerability and that’s moved sideways into people and process. Over the past 5 years, the focus has been to think more about the threat. I think our industry’s ability to quantify and describe the threat from both a geopolitical, as well as a tactical perspective has significantly improved. This is something that really excites me, as the combination of LRQA and Nettitude together will give us greater reach to this intelligence across a more diverse range of industries. LRQA and Nettitude can do a great deal in terms of threat modelling for our clients to try and understand which cyber threat is most likely to be seen within a specific geography or industry.
Instead of simply focusing on the art of the possible, threat intelligence gives us the ability to focus cyber defence and response strategies towards the most probable types of behaviours. This ensures that budgets can be better aligned to the most likely areas of threat, delivering a stronger return on investment to the board.
So, for us, threat and vulnerability are absolutely as important as each other. By helping organisations measure vulnerability, threat, impact and likelihood, you provide a much more robust approach to cyber risk management.
Q: How important is the regulatory landscape when shaping organisational cyber security strategies?
Regulation and legislation have a massive part to play in improving cyber resiliency across the world. One of the things that we see time and time again is that there is a disconnect in expectations between organisations that are buying cyber security services and people that are providing them.
Many buyers think that if they plough a significant budget in to cyber it will make them resilient. However, many cyber security organisations rarely think in such absolute terms. The reality is there’s a massive disconnect between the investments that are made and the resiliency that is achieved; assurance and regulation helps to bridge that gap.
The truth is even though some organisations spend tens of millions of pounds on cyber security, they often find that they are no more resilient to cyber attacks. There is a strong argument that this is because of the asymmetry of information that is prevalent in the cyber security market. There is often too much focus on technology for technology’s sake. Vendors often confuse buyers with complex technical jargon and consequently, this leads to confusion and misalignment of expectations from vendors and buyers alike.
If regulators can define what good looks like in maritime, financial services, energy and healthcare, then this can be used by organisations to develop their cyber security strategies. By using a common set of terms, approaches and vernacular, there is a greater opportunity for buyers and sellers to become aligned with their cyber security goals and expectations. In time, this will raise the bar, allowing whole industries and regions to become more resilient to cyber attacks.
Our view is that within the cyber security industry, we will see more regulation and legislation emerging over the next three or four years. We’re seeing that already with the likes of GDPR which is directly applicable to the whole of the European Union (and with implications worldwide). The NIS directive is another example of EU focused legislation, and we are also seeing a number of financial services regulators across the world implementing frameworks to increase resiliency within their areas of jurisdiction.
Three or four years ago, the UK Financial services regulator took an increasingly proactive approach to improving cyber resiliency by launching the CBEST [1] scheme. This was designed to deliver greater levels of assurance across systemically important financial institutions. Its approach was highly innovative at the time, due to the way it leveraged threat intelligence to deliver targeted attack and response assessments. The regulator recognised that the types of threats that were prevalent within Financial Services were very different to those that were related to manufacturing, or retail. Consequently, the CBEST programme was designed to simulate the adversaries that were known to be targeting financial services. As well as assessing an organisations’ defences, the framework also ensured that organisations measured the capability of their detection and response functions. The outcomes and intelligence derived from these activities have been a catalyst for UK financial services to raise their cyber preparedness across the sector.
What started off as a UK oriented activity has evolved overseas and programmes like ICAST in Hong Kong, TIBER-NL in the Netherlands and TIBER-EU for the European Union have taken the concept of intelligence-led penetration testing and applied it to other financial services jurisdictions around the world. In each of these instances, the regulators are trying to increase the cyber resiliency within their region. Instead of leaving cyber assurance to market forces, each of these frameworks is designed to enhance the level of cyber preparedness across systemically important financial institutions.
The market on its own is not functioning properly; regulation is potentially the solution to making the market work more effectively.
Why is this all happening? Put simply, the market on its own is not functioning properly; regulation is potentially the solution to making the market work more effectively. Regulation helps to define what good looks like, and provides a common set of language and narrative for organisations to measure themselves against.
[1] The UK Financial Authorities - Bank of England (BoE), Her Majesty’s Treasury, and the Financial Conduct Authority - consulted with financial services organisations, while also working with the penetration testing and cyber threat intelligence services industry to develop a scheme – known as CBEST - that is sympathetic to the concerns raised by the financial services industry and the risks associated with testing critical assets.
Q: Are there different approaches for different sectors and even geographies in terms of ensuring more cyber resilient operations?
The reality is that the threats associated with financial services are very different to the threats associated with maritime and nuclear.
The reality is that the threats associated with financial services are very different to the threats associated with maritime and nuclear.
Historically, the cyber security industry has gone out and delivered assurance in a way that’s consistent across all sectors – the international information security management system standard ISO 27001 is the same for a financial services organisation as it is for a nuclear plant, yet the threats are very different.
What we’ve seen from recent history is a growing recognition that you need to treat each of those industry verticals more uniquely. This need is being amplified as more industry-centric operating technology is becoming Internet-enabled. As an example, we’re seeing other threat lead penetration testing frameworks being applied to additional parts of critical national infrastructure in the UK. In 2017 TBEST was born, a framework that was focused on the telecommunications sector. In addition, there is now a programme being generated called NBEST focused on nuclear and we should assume that as time goes by there will be other regulator driven frameworks that apply to other aspects of critical national infrastructure. I think we’ll continue to see this approach permeate outside of the UK and into other regions around the world. After all, the people, process and technology touchpoints within financial services are very different to the touchpoints in maritime or within a nuclear plant. The things they do, the data they interact with, and their roles in society and the economy are completely different. Surely then, we should be using very different types of assurance processes and cyber measurement techniques to determine the capability and the resiliency of those industries?
This doesn’t mean that we should do away with industry agnostic cyber security frameworks. With Industry 4.0, it simply means that we need to find a way to work with these agnostic and centric frameworks collectively, knowing that they both have a role to play in influencing an organisations’ cyber security strategy.