Are You a Naked Emperor When it Comes to Cyber Security?

Data security is probably at the top of the risk list in most companies regardless of the business sector. Unlike other areas of the business, many senior leaders feel that they do not have the expertise to challenge and operate effective oversight of cyber risk management programs. Senior leaders do not like bad news, or the people who deliver it. The cyber arena is a hotbed for bad news which for self-preservation purposes needs to be largely isolated from senior leaders. This often leads to senior leadership risk blind spots. External Cyber intelligence is almost exclusively bad news because it usually provides indicators of compromise; this, coupled with the above, is why many cyber security teams are extremely wary of intelligence that they do not control.

We are passionate about seeing and managing security threats and risk in the round. We do not believe that physical and cybersecurity should work in silos and for them to do so is a strategic risk vulnerability. In this context Risk Resiliency works closely with Sovereign Intelligence, a cutting-edge cyber intelligence company, to deliver holistic security threat and risk services to our clients.

Sovereign scours the cyber ‘highways and byways’ looking for activities of the people seeking to, or already committing, cyber-enabled crime. It also looks for indicators of threats and risks emerging in the physical world. As a ‘traditional’ security and intelligence man, I never ceased to be amazed by the levels of ingenuity and audacity demonstrated by threat actors and the scale of the industrialisation of physical threats and security exploitation, such as the co-ordination of large-scale illegal drugs distribution using hotel chains as distribution points, operating prostitution rings and co-ordinating Human Exploitation in hotel supply chains for instance.

Is everything really under control?

Whilst working for clients, we routinely discover intelligence that indicates that other hotel companies’ systems have been compromised and exploited. Out of concern for the wellbeing of the hospitality sector in which we operate, we pass reports, such as the one attached to this blog, pro bono to the relevant companies. These reports normally disappear into a ‘black-hole’, and we are lucky to get an acknowledgement. This surprises me because in the physical world, should I receive actionable intelligence, I would be genuinely grateful and would cling onto the source to exploit it to its maximum; so why does this not happen in the cyber-world?

Based on my personal experience, CISOs and their teams often see intelligence such as this, which is outside of their control, as a type of threat. Cyber Teams often seem to feel compelled to tell the business that everything is under control and there is no need to worry about cyber security issues. One explanation is that this is what senior executives want to hear and are therefore happy not to challenge and test cyber assurance claims: who needs bad news? I heard a story from a colleague that a CEOs only direction to his CISO was ‘just keep me out of the papers’! Interestingly, a very senior UK government cybersecurity official told me that if your CISO is not bringing you bad news at least weekly you have a cyber security problem. Perhaps it is time that CEO’s question their CISO’s claims that there “is nothing to see here” and if they wish to avoid some nasty surprises further down the road.

Sometimes we will send reports of concern to the Head of Risk of Legal to avoid the ‘black hole’. This also has little effect. Almost certainly, they just pass the reports onto their Cyber Security Heads and leave it to them, happy to have a tricky issue off their desks rather than seeing the issue as a potential strategic enterprise risk worthy of their attention. This is perhaps understandable because many outside the cyber world perceive cybersecurity and other cyber issues as a ‘dark art’, only practiced by the hyper specialists who speak in strange tongues. Maybe too many cyber specialists like it just this way, for weak oversight and governance make for an uncomplicated life. Until the wheels drop off, that is.

Weak oversight and governance make for an uncomplicated life. Until the wheels drop off, that is.

Don’t fall into the cognitive dissonance trap

Once I attended a meeting of senior managers to consider a serious and substantive threat to the company’s central data systems; the Head of Cyber Security entered the room with a flourish and announced that there was nothing to worry about because his team had employed and deployed a security tool from company ‘X’ which was ‘kryptonite’ to cyber threat actors. The senior leaders’ fears were assuaged, and the Head of Security left the room almost to applause. Meanwhile, the physical security team knew that the threat actor could defeat company X’s tool because we had reliable intelligence and understood the threat actor. This was a fact we had previously shared with cyber security but were ignored. We raised this issue but were closed down because this was news that the senior leaders did not want to hear (a classic case of cognitive dissonance); and of course, we were seen by Cyber Security as a threat, or at least our intelligence was seen as a threat. As in the fable, we were the little boys in the crowd who shouted that the emperor was in fact wearing no clothes.

Put curiosity at the heart of security operations

Curiosity should be at the heart of any security operation, cyber or physical, but curiosity seems to be in short supply these days. Maybe curiosity identifies issues and problems that may require money to address and of course who has money these days? On the other hand, perhaps curiosity might discover things that will induce senior management to take a closer look and interest in the protection of their data assets and systems.

Maybe part of the answer is the establishment of corporate Joint Intelligence and Fusion Cells that collect and process all intelligence coming into the business. Such cells could be independent and sit outside of both physical and cybersecurity teams. Another part of the answer is to de-mystify cyber security and change the culture so that both senior management and cyber security teams acknowledge that “bad news” is a sign that things are working correctly.