05 DECEMBER 2018

SIMON PRESENTS: Juggling Security Risks and Balancing Priorities

Cyber security gurus, Brenda Ferraro, Stuart McKenzie and Matthew King, joined me for a Security Keynote Panel Discussion at INSIGHT 2018 to discuss the biggest security issues facing legal organisations today.

Security Keynote Panel Overview

With cyber attacks on the rise and attackers becoming more sophisticated in exploiting vulnerabilities, everyone is at risk of a cyber attack. Whether you are a multi-million-pound organisation or a 10-man fleet. There is no quick remedy for an attack, so it’s vital you have a robust plan in place that will allow your business to keep running smoothly, while other systems are down.

Whether you are the CIO, the CISO or a Business Engagement Manager, your life is a constant battle to ensure a reasonable security posture while balancing costs, usability, technology, user behaviour, transformation and agility. Suffering a breach is no longer a question of “if,” but “when” and “how big”.

With thanks to INSIGHT 2018 and the International Legal Technology Association (ILTA), I was fortunate spend time with thought leaders, Brenda Ferraro, Stuart McKenzie and Matthew King, who imparted some pearls of wisdom surrounding our industry – including the biggest security issues facing legal organisations today.

How Do We Decipher What is Important and Relevant for Ourselves and Our Organisations?

In my experience, the landscape has completely changed compared to 25 years ago, we’ve got systems for absolutely everything, and we are consuming things in a completely agile fashion. I’m sure many of you now receive 100s of calls telling you the world is going to collapse around you if you don’t invest in ‘our special piece of technology’. But has security in communications really changed? And has the investment in security kept up-to-date within our IT operational landscape? 

In response to my question, Vice President, EMEA for Mandiant, a FireEye company, Stuart McKenzie, highlighted the importance of understanding your risks. As well as, determining where your threats come from as a top priority:

“Once you get the basics right, then it’s about incremental spend and understanding where you have exposure. You need to make sure your cybersecurity posture aligns to how you mitigate and understand risks in the physical world. There’s no point having a strong posture if you leave the door open.”

Brenda Ferraro, Third Party Evangelist and Senior Director of Networks at Prevalent Inc, brought to light the importance of conducting tests. She noted that some companies have over 580 security control standards and requirements that must be met:

“Many companies aren’t doing scenario-based tests to find out if the Incident Response practices that they have in place are working or not.”

Following on from Brenda’s response, the foundational and the basics of IT hygiene is critical according to Matthew King, CISO and BDO of UK LLP

He believed the spectre meltdown is an interesting point: “From a risk perspective it is low for most organisations – but the downside is, everyone is talking about it. The BBC news were talking about it, my CEO, COO and Head of Risk kept chasing me about it, so I had to respond.”

Sensationalised Threats Versus Evidenced Ris

For Matthew, it’s about robustness in response,

“therefore when those types of things come along, you can do that evaluation pretty quick. The real challenge is the culture of the organisation and leadership and trying to engage with them on a level where they are interested – but also that they understand that what you’re doing is the right thing for the organisation”.

I think that summarises my opinion, that the industry is driven by threat mania and that is wrong. I agree 100% with the panel. Leading on from this, I put the following question to the audience, ‘how many people believe they have all of the right data in the location in the event of Doomsday would be able to respond with confidence?’ – one individual.

Does this mean we are prioritising protection over and above response? And detection over and above response?

There must be a better way to how we are approaching the problem today?

It was evident from the panel, the importance of letting organisations know precisely where their data is and how it is being protected? Alongside knowing your vulnerabilities to know what to test.

Brenda continued:

“With concentration risk if you have an active approach with that content wherever it is stored, you must make sure that if that company goes down, what other company has a backup of that information?

Others noted that “information exchange is essential”. Stuart believes that practice should be top of the list:

“You don’t learn to dance on the day of the ball. When you do your testing think about it in a Doomsday scenario, how do I start again, is my backup online? It is important not just to test the easy parts. Make sure your suppliers are doing best practice. Make sure when you are buying something, you are saying to your suppliers, what it is you want and what are the fundamental aspects you need. So you don’t downgrade it and don’t get what you want.”

Matthew is a huge advocate of risk methodologies, as it uses the same language that boards understand, but there’s a big question over likelihood: : “We understand the impact. It is an industry built on fear; I also don’t trust people involved in Incident Response all of the time, because that’s their whole purpose and view of the world.”

He stands by data-driven assessments, because they are far more valuable, “to be able to undertake assessments where you can validate that your controls, either are or are not effective, and you can determine whether that is something you need to focus on, boards can deal with that – it is evidence-based work. It’s not a finger in the air risk” concluded Matthew.

Staying on topic, Stuart stated that boards are,

“clever people, especially those of law firms. If you explain to people on evidence that’s very good. But I think you have to build your evidence from things like red teaming and pen testing and making sure you understand what your risk posture is and are the controls working”.

According to Stuart, we need a 360-degree view. We need to understand what is the risk we are willing to accept and what do we need to operate? We need to walk to the walk. He continued by remarking that if you can’t operate your systems because of the controls you have in place, then there’s something wrong, everyone needs to follow the same procedure. And if it’s not enabling, are we doing something wrong?

Wrong Versus Bad

I posed one final question, if you listen to the vendors, they promise to find the bad, it’s their determination of what bad is, we focus on bad, but we should be focusing on wrong? If we can’t determine wrong how can we understand the compromise.

He replied: “If you focus on what other people tell you, you are starting from the wrong position. You have such a rich source of intelligence, within your logs, fire logs, proxy logs. It will tell you whether you see commodity malware, you can see what’s pushing against those boundaries. That should inform where your controls are weak.”

In his opinion, if you set your decision criteria based on what someone else has told you, you will buy that because you are buying it based on their ideas. “Base it on what you need,” concluded Stuart.

So, What Can We Do to Protect Ourselves?

We have to educate our users but not just nanny them. Building relationships and trust is critical for Matthew: “For me, it wasn’t a conversation about risk but an honest conversation about where we currently were from a security posture perspective and getting them on the right page. Saying we have an action plan, we need to work on it and you need to challenge us.”

Brenda recommended ‘Adaptive Enablement’. Sharing information to individuals and allowing them to have healthy competitions to reduce the risks, putting the right amount of friction on the business units to determine how to get those vulnerabilities to close. As you close the gap, you can then concentrate on new threats.

Cyber security is a team effort and given the nature of today’s global threat landscape, it is apparent that data breaches and cyberattacks are higher than ever – cyber security needs to be a companywide effort and incorporated into the organisation’s ethos. As widely quoted ‘more hands make light work’. Therefore, it’s imperative that you train your staff in cyber security, the more staff are educated the quicker you can resume with day to day proceedings following any attacks the company may suffer from.

I want to thank the ILTA for allowing me to host this panel, my panellists Brenda, Matthew and Stuart for sharing your knowledge, and to everybody that endured me for an hour.

Thanks to the ILTA, you can listen to the conference in full and download the presentation slides here.

Cybersecurity is a group effort, call us
today on 0203 8232 999 to find out how we could help. Alternatively, head to
https://secrutiny.com/security-patrol-managed-services/ for further information.