Information security should be done up-front, systems and processes should be secure by design, and security should be enabling, according to Tim Grieveson, chief cyber strategist, HP Europe.
“Most enterprises need to change the way they think about information security to see it as an opportunity for innovation to drive business and as a competitive differentiator, not simply as a cost,” he told Computer Weekly.
“They also need to start thinking like an attacker to identify what data is most likely to be targeted and what tools are most likely to be used.”
According to Grieveson, knowing what data attackers will come after and the methods they will use are critical in helping put the most effective defences in place.
“In my experience, by designing security into hardware, software and processes from the start also typically reduces costs in the long term by a third,” he said.
Grieveson believes security should be about enabling business to be as agile as possible – but without the risk, by providing people with the tools they need to do their work securely. He recommends information security focus on the goals of the business and help it to achieve those securely.
“It is better to understand the needs of people in the business and provide the most secure tools to do what they need to do, than to have to find ways of locking down ‘shadow IT’ that arises when people in the business go around IT to source their own tools and services online,” he said.
Firms should copy North Korea
Grieveson said that, in his experience, it is by engaging the business in a conversation about how security can support business outcomes, lower costs, improve efficiencies, prevent loss and detect fraud that information security professionals can secure a place on the board.
“Chief marking officers, chief information officers and chief information security officers should hold regular conversations about achieving the common goal of growing the business, but in many organisations that happens seldom, if ever,” he said.
But improving and ensuring the best possible information security is not just about technology and tools. It also has to be about educating people at every level of the business and raising their awareness of the risks, so that acting in line with security best practice becomes automatic.
Read more about security and business
“Information security professionals have an important role in helping organisations build a culture of security, so that everyone can make a contribution because they understand the value of data and the associated security risks,” he said.
By raising people’s situational awareness, he said, they are more likely to be self-policing when dealing with company data and wary of things like “shoulder surfing” or revealing personal and business information during phone calls on trains.
“Like health and safety, information security should be a concern for everyone, but changing an organisation’s culture is challenging. Security needs to be built into every new product, application and business process,” he said.
Grieveson said this process can and should start in schools: “In some countries like North Korea, children are taught to be cyber warriors from an early age – but the UK is relatively poor at this and we need to do a lot better.”
Outsourcing routine security
Another key strategy he believes needs to be part of the organisation’s information security culture is to focus on the data that needs to be secure rather than devices.
“Focusing on the data helps to ensure that it is secure at every stage of its lifecycle and that, for example, only the right people are allowed to access it in the right context, and that the most secure devices and applications are chosen to access it,” said Grieveson.
“If the business is demanding specific devices simply because of the ‘cool factor’, it is important to have an adult conversation about the risks and the costs involved in mitigating those risks.”
He is also an advocate of outsourcing routine, low-level security processes and automating manual tasks such as password resets wherever possible. According to Grieveson, this approach can help give IT teams up to 60% more time to focus on innovation, threat intelligence and strategic issues.
“Many security teams are too busy keeping the lights on and fighting fires to focus on the big picture, but out-tasking and automation can save time and costs, while freeing up security teams to concentrate on more important issues and address the root causes of security issues.”
Information security teams need to have the opportunity to focus on things like reducing the time taken to detect intrusions on their networks and remediating those when detected.
HP research shows that 94% of breaches are detected by third parties and, on average, organisations take 243 days to detect intrusions and 55 days to remediate them.
“Many organisations are not looking at the right things. They are not investing in detection and response capabilities, they are not putting in processes to prioritise risks and to ensure good communications when breaches occur, and they are not checking through penetration testing that the controls they have in place are working as they expect,” said Grieveson.
In addition to thinking like attackers to identify the risks and security gaps, he said defenders should also act like attackers by becoming effective communicators, collaborating with peers and specialising in key areas.
Looking ahead, Grieveson said both producers and users of devices and services making up the rapidly growing internet of things (IoT) should aim for security and privacy by design.
“Data encryption, strong authentication and secure interfaces should be key principles otherwise attackers will seek to exploit any and all weaknesses they can find,” he said.
