31/01/2017
OCSL Editor

Firstly, I’m not a CISO, or a security expert. I’m a technologist interested in the new world order, the disruption this brings and how we can overcome the massive security challenges we all face.  Security and Security Risk Assessment has remained top of the CIO/CEO agenda for the past few years. Never though, have both perceived and real threats been quite so high.

The biggest security risk? A brand’s reputation can be ruined in seconds

Often it’s the press around an incident that can be more damaging than the actual incident itself.

We all understand how hard it is to build brand.  We only have to look at the bitter fight between Trump and Clinton in the race to the Whitehouse, and the damning questions about hacking and manipulation, to understand how reputations can be ruined in seconds.

Security attacks have become increasingly sophisticated

Threats have evolved from a simple virus that locks you out of your PC, to sophisticated ransomware to “grand theft cyber”, where physical monetary value is removed from a company.

It’s not just the systems or the perimeter that we need to think about. We need to take into account the people, the process and factor in social media.   Millennials have pushed the boundaries of what businesses are traditionally comfortable with. Whether you’re are a bank, a non-profit, a government agency or a retail store, you can't ignore the need for different, more agile ways of working and increased expectation.

The current security marketplace  

Here are OCSL we’ve taken a long hard look at the evolving security marketplace over the last 14 months or so.

Security businesses have emerged from the “Valley” who are really challenging the traditional security establishment players. I am going to call out just one for now; Cylance Advanced Threat Protection.  With their endpoint virus and malware detection they have created a hugely more efficient way of tackling an age old problem. Well worth a look in my view.

The security market is pretty much split into a products market, consulting and those offering security as a service.  The UK specifically is a very fragmented. There is no single dominant player. So looking for the perfect solution, the one market-leading solution, can be a misguided approach.

So, how can you combat the onslaught of security attacks?

I guess the utopian dream would be to have a security structure that covers people, process and product.  A structure so robust that we are aware of the threat before it ever happens. But in reality this is a tall order. Complacency creeps in. Budget constraints come into play. And skills (or lack of them) lead to inconsistency. So what’s the answer?

A Security Assessment

Firstly, don't be afraid to thoroughly examine and prod your own defences.  Test your vulnerabilities.  Gain as much knowledge as you possibly can about your security defences. From the perimeter to the core, from process to your people.  

Once you've gained these insights, don’t be afraid to look at lots of different options as part of your Security Risk Assessment . Challenge and widen your understanding of the market place. Think about different approaches to ensure meticulous security and in-depth strategy across your business.

For Cloud services, be proactive. Assume you are vulnerable at best and, at worst, have already been hacked. With a different perspective, you'll start to gain the advantage.

The cyber security industry is being reinvented every day.  No one organisation has the perfect solution at this time, but it’s important to ask yourself, how can I mitigate the risk? Can I outsource? Can I insource.  Ask your staff, your network, consult with specialists. Broaden your net.  It's vital to assess and identify the best security solution for your particular needs.

I'll leave you with two of my favourite quotes focussed on security. They may be slightly dated but are still hugely relevant:

There are now three certainties in life - there's death, there's taxes and there's a foreign intelligence service on your system

Sir Iain Lobban, Director, GCHQ

There are only two types of companies: those that have been hacked, and those that will be

Robert Mueller - FBI Director, USA

Thought piece