This interview with Professor Georges Ataya, Academic Director at the Solvay Brussels School and Managing Partner at ICT Control , was conducted on the occasion of SAS Forum Belux 2015, where he will be presenting. Georges is also Vice-President of the Belgian Cybersecurity Coalition. Click here to join the event.
How has the cyber threat environment evolved over the years, and how should organisations respond to this evolution?
Online threats used to be a lot more unilateral. Today, we are struggling with Advanced Persistent Threats (APT) which are multifaceted and therefore more persistent and more complex. They no longer restrict themselves to just a single domain, but tend to attack from many different angles at the same time: technical, behavioural, focussing on a personalised vulnerability, etc.
This kind of attack can obviously not be solved by buying a simple antivirus program. You need an in-depth cybersecurity management, which should focus on three activities. First, you need to define and prepare what should be protected. This means that you have to ask yourself a lot of strategic questions: what could exactly go wrong, which information and services are essential for the company and ought to remain the centre of attention, which are the risk scenarios we need to prevent,… Few are the organisations who actually bother to do this homework seriously. Big mistake.
A second crucial activity is obviously the detection of intrusions, losses and incidents. This might seem an obvious one, but you have no idea how many organisations are infested with malicious code or suffer from intrusions without being aware of it. Activity number three is, of course, recovery: organisations need to be able to return to their normal situation and recuperate everything that was lost. This, too, might seem self-evident. Yet, companies that do not invest in solid disaster recovery solutions – and there are still too many of those – will not always be able to salvage all the data that was lost, with possibly disastrous consequences.
Put like that, it seems a lot to manage for an IT department, which is often – especially in SMEs – merely one person, who is also in charge of the servers, data storage, analytics, IT innovation, etc.
The biggest mistake a company can make is to leave the entire security management in the hands of the technology department. Current cyber threats are too dangerous for that. I believe IT security should be a management priority, because you need much more than just technological skills to control it.
Most organisations focus on the technical level and hire IT experts to deal with security issues. Yet, a company is an ecosystem that goes well beyond being merely digital. So why protect your digital assets as if they were completely disconnected from everything else? It is not just about installing new technologies; you also need to think about new work procedures, new security rules, different behaviour of employees, new processes, new skills, etc. These go well beyond the responsibilities of the IT department and security specialists. They should be directed by general management. Management needs to know which threats its organisation faces and which type of problems they might have. Security needs a holistic vision, which only Management can provide.
You talk about skills. Which ones are the most important for managing IT security in this increasingly complex cybersecurity environment?
At the highest level, you need three types of skills. Analytical skills, first, for the planning and managing of security. These are the employees that decide how a company is going to organise its cybersecurity, how it is going to manage risk or how it ought to react to which kinds of disaster. Secondly, you obviously need technical skills as well. People who understand malicious code, cryptography, mobile payment security, how to protect your networks, etc. Last but not least, you need generic skills as well: employees who know their way around incident management, threat detection, creation of work standards, knowledge of privacy or physical access, data security, knowledge continuity, etc. Digital security can no longer be a one (wo)man job these days. It takes a whole village.
It’s not a one (wo)man job as you say, but it is no longer a ‘human’ job either. You need analytics in such a data-driven and complex environment, right?
APTs are simply too complex to be controlled by human experience alone. Organisations need real-time knowledge about their terabytes of log data from their networks, interactions and processes. That is why they ought to benefit from (Big Data) analytics because there is too much going on for the human mind and simple solutions to detect. They need to be able to find patterns and exceptions in their data so that they can be aware of all the intrusions in the present, but also in the past, and learn how to quickly recognize unusual behaviour. What’s more, as Management has to be in charge of system security and be able to react at the right time, these tools should be transparent as well as easy to manage and understand.
On top of this, organisations should also learn from the experiences of others. Gut feeling and individual experience are no longer enough. Organisations should leverage the knowledge from ISO certificates, professional organisations and universities. The world is a network, and if everything is connected, the knowledge and experience inside your company walls will no longer suffice. You have to look beyond them.
A lot of companies still seem hesitant to adopt the cloud because they fear it is not safe. What would you tell those non-believers?
I’d say that they are afraid of the wrong thing. When the cloud was first introduced, in a Software-as-a-service form, people avoided it. They essentially thought that the physical office environment and IT architecture were organised like a big, fortified castle with thick outer walls: they thought they would be all right if they protected the walls and never let anybody in. Today – not just with the cloud but with open information services accessible to customers and suppliers, information shared with banks and governments, BYOD approaches, etc. – companies are continuously interacting and sharing sensitive information with the outside world. Focussing your protection merely against the outside world is completely outdated. Performing simple intrusion testing exercises is just no longer enough in complex environment threatened by Advanced Persistent threats.
The question is a lot more complex than ‘cloud or not’. You could even say that the companies who believe that the cloud is dangerous for those wrong reasons, are more in danger than those who realise that this outside interaction is infused into every part of the company.
Besides, in some kinds of threat, the cloud has the potential to diminish the risk of cyber threats. Some types of criminal organisation, for instance, encrypt all the information of companies, demanding payment if they want their data back. This could, for instance, be completely avoided by those companies who store their data with a well-protected cloud provider.
Like I said, IT security is not a technical question, it is about good management. Top Management needs to be involved in all the relevant processes and procedures: legal, technical, organisational, budget allocation, risk appetite selection, etc. Those that do not take this into account will be scared of the cloud today, and tomorrow of mobile, BYOD or the Internet of Things. But the truth is, they are simply misunderstanding cyber threats and have a misguided view of what IT security really is. And THAT is what is dangerous.