Blog

#ISC2Congress 2022: Effective Cybersecurity Takes Collaboration

Oct 11, 2022

Ciaran Martin Keynote The approach to cybersecurity historically has revolved around self-interest. It’s time to change that to think about the collective, according to Ciaran Martin, founder of the U.K.’s National Cyber Security Centre.

“We’re all interested in cybersecurity because we’re professionals, but we’re all interested in it for ourselves, for our own financial and economic and other interests,” Ciaran said in a keynote he delivered to open the second day of (ISC)²’s Security Congress 2022. The event is taking place this week in Las Vegas.

Understandably, everyone wants to protect their families and organizations, Ciaran said. But to get cybersecurity right, he argued, it has to be approached with a sense of community. “So as well as it being about protecting ourselves, our families or organizations… we need to protect it as a commons.”

Later in the day, during a “fireside chat” with (ISC)² CEO Clar Rosso, David Mussington, Executive Director for Infrastructure at CISA, also spoke about the importance of collaboration.

“No one has a monopoly on insight on critical infrastructure or cyber defenses so we need to learn from each other,” he said, referring to collaboration between the public and private sectors and between nations. “For me, at its most basic, it’s information sharing, making sure we can share insights on facts, real facts – discovered and corroborated facts.”

Dealing with facts also would help address the cybersecurity perception that Ciaran referred to as “catastrophizing.” Cybersecurity, he argued, has been framed in a context of doom – or catastrophe – when in reality it has been an “aggregate of small harms.”

Protecting the Digital Environment

Ciaran said the cybersecurity community needs to protect the digital environment the way we approach the physical environment. That means looking at the harms we currently face and coming up with effective tools to fight back. He broke down the cyber harms to three major categories:

· We are getting robbed

· We are getting weakened

· We are getting hurt

The first one, concerning theft, includes theft of money and data, he said. The second harm – weakening – involves nation-state activities such as espionage and political interference. For instance, it is believed Russia tried to meddle in the 2016 U.S. Presidential election. Another incident involved China breaking into U.S. government systems, he said.

“The Chinese hack of the Office of Personnel Management here in the States in 2015 had a really chilling effect on the lives of millions of American government employees past and present.” Similar incidents around the world, he said, have eroded confidence in governmental institutions.

The third harm – getting hurt – is growing concern, Ciaran said. For instance, a hack of the healthcare system in Ireland resulted in postponements of three months for cancer patient consultations and restricted prenatal services for women who were at least 36 weeks pregnant.

Fighting Back

“We’ve got some structural insecurity, we’ve got different people trying to do this harm, and we’ve got different ways in which that harm is manifesting,” Ciaran said. CM Keynote Congress 2022

Fighting back requires these three basic measures – better risk management, partnership and commitment to the vision, he said. Regarding risk, he said, organizations need to think about the crown jewels and how to best protect them.

Organizations need to build resilience to continue to function, even partially, if attacked “How could you coordinate your response? Do you know who’s in charge? If your email systems aren’t working, do you know how to get hold of your key people? How are you going to reassure your customers, regulators, government, the media, that you know what you’re doing?”

To improve security, organizations should address what Ciaran called the “triplet of cyber defense,” comprising organizational, technical and human factors. The organizational part comes down to determining risk posture and how much risk is acceptable. The technical aspect refers to the capabilities an organization has and the people who understand how they work.

Regarding the human factor, Ciaran says he would ban a phrase that is often uttered regarding cybersecurity: “People are the weakest link.” “I passionately disagree with it. If you really think your people are that bad, then get some new people in. But hang on a sec, let’s think about this. If someone clicks on a link and the whole company goes down because of a ransomware attack, is that their fault? No.”

Ciaran concluded his talk by circling back to the need for collaboration. He mentioned the U.K. and Israeli worked together to combat the Wannacry ransomware attacks, which likely prevented a bigger impact.

Working together to address the harms, he said, we can do “not just what’s good for me, what’s good for my family, what’s good for my organization, but what is good for the digital environment.”