…and how it made me realise the changing security landscape will eventually allow me more time for quilting.
InfoSecurity Europe rolled around again this week and it looked as busy as a trading floor. Falling on the same week we saw reports that TeamViewer was hacked, a Canadian university paid $20,000 to ransomware hackers and the Singapore government made a decision to stop workers from accessing the Internet in order to tighten security, it’s almost no surprise that the security conference would still be heaving on day 2. A happy hour announced every now and then – most probably playing the double role of facilitating sales and soothing the nerves of the infosec community – and we saw everything from server racks covered in bullet holes to someone impersonating The Queen.
As with previous years there were a range of informative presentations and panel discussions available for attendees wanting to hear about the latest trends, updates and stories experienced by some of the best and brightest in the industry. One discussion in particular that really resonated with me was the “Headlines, Breaches & the Board: You’ve Got Their Attention – Now What?” panel discussion. On this panel were representatives from Unilever, Vodafone, Willis Towers Watson and Markit and highlights included discussing the changing attitudes around security purchasing, providing the boardroom with confidence in understanding the threat landscape, and the creation of the TalkTalk breach as a new subject for “Where were you when…” conversations.
There was one particular part of the discussion that stuck with me – media stories focused on FUD and the consequences, and that the impact of press coverage that is focused on fear, uncertainty and doubt (FUD).
In recent years we’ve seen a rise in the number of column inches dedicated to reporting breach stories and it’s easy to why this is viewed as a factor in driving fear uncertainty and doubt. FUD is certainly viewed as an old fashioned way of doing things in the information security world with a common criticism being that it’s just driving fear and pushing sensationalist views. It was interesting to hear a discussion in 2016 which included the view that the FUD factor does have some merit – but not in the way some might expect, I’ll explain through an exam-style narrative: The CEO of a Sandwich Inc spotted in the news this morning that a rival company had been become the victim of a cyber-attack. CEO is very concerned as the spokesperson for the company that has been attacked looks panicked during television interviews, there appears to be a barrage of abuse on social media from customers, and news headlines focus on highlighting the effect this has had on customers. The CEO of Sandwich Inc then calls their CISO into their office, but not to panic and up the security budget, but to calmly ask the following questions: What does it mean if this happens to us? What would the impact be? What is our risk strategy?
One panelist said to the audience during the discussion: “Remember that board members are astute and intelligent.” So perhaps they’re not being given enough credit – they’re not so impressionable that they’re seeing these breach stories and jumping on their CISO out of fear, they are seeing them and opening up a dialogue about strategy. So it looks like these media stories are still driving conversation – but hopefully in a way that moves away from FUD and moves towards awareness, education and preparation.
You’re probably wondering where the quilting bit is going to be explained – I will get to this. Another part of this cog is the increased societal interest in cyber security and the security of their data. As customers our data is often only as secure as the organsations we buy from – which is why emotions run high when these organisations are attacked and people read the news stories where details of X amount of customers have been compromised – and go straight to social media.
Many organisations are starting to catch on to the reputational consequences of poor preparation because of exactly this, so these stories are opening up a dialogue about risk strategy or even looking at security as an investment in brand.
I feel that the more these attacks are talked about, the more that it will become common practice for the companies I purchase from to have a plan in place (including letting customers know ASAP) if data is compromised, rather than being like a deer caught in the headlights. This in turn will hopefully mean I spend less time getting angry at companies who haven’t told me sooner that my data has been compromised, or spending less time changing my password yet again because my details might be on sale on the dark web – and more time for things I actually want to spend my time doing, like watching movies or quilting – at least until InfoSec Europe 2017.
If you’d like to discuss this blog further, please email me on firstname.lastname@example.org.