A speech given by Alex Webling to the opening of Z-CERT, the Hague, Netherlands, January 2018

Building better cyber security strategy in organisations

The opening of Z-CERT is an important development in the protection of the Netherland’s health care system. I wish you all the good fortune in the world.

Z-CERT launch

launching the Z-CERT website

When I started working in cybersecurity for the Australian Government in 2002, the world was a different place.

For one thing, we called it electronic security and mostly it was a small extension of the great game of espionage played between nation states. We focussed almost exclusively on keeping our information confidential.

However, even then, we realised that in order to keep our systems and citizens secure, we’d have to collaborate with like-minded countries and the Netherlands was top of my list.

I have continued to admire the Dutch, because I think that you tend to be quite pragmatic in your approach to problems. Solving the issues related to cyber security and privacy are no different

The cyber landscape has continued to evolve quickly under our feet and the need to collaborate and share best practice has only accelerated.

“If you think technology can solve all your security problems, then you don’t understand the problems and you don’t understand the technology”  Bruce Schneier

I think you all know that the information age is upon us and has been for some time. This year, like the last, and the one before will bring more connectivity, digital transformation initiatives, and data for organisations and their human operators to handle.

The opportunities this information age brings are amazing.

All organisations, not least health providers are focussed on getting the right information to the right people at the right time, and avoiding the wrong people accessing it too.

This is an incredibly difficult task. Getting it right, relies on judgement and experience. It is becoming increasingly difficult to achieve. Information travels at the speed of light, but we can’t think that fast.

Just think:
unlike any previous time in human history, information has become very expensive to delete as well as to create.

Within a couple of generations, many organisations have moved from paper records to electronic ones. Access to electronic information brings so many benefits for the health professional.

But there is also a dark side.

With the opportunities come the threats. Threats to privacy, reputation, financial status and also to patient outcomes.

More tools developed by government hackers have become public, and it’s easier than ever to create sophisticated ways to spread malicious software or steal data.

Estimates are that ransomware cost victims 2billion Euros in 2017, twice as much as in 2016.

Meanwhile others have predicted global losses from another growing trend, compromised business email scams, will exceed 9billion Euros next year.

With the advent of the GDPR in less than five months, the financial penalties if data protection goes wrong are about to get much more serious. GDPR fines will be up to 20 million Euros or 4% of annual turnover (whichever is higher).

The cost is not just monetary, NHS hospitals in the United Kingdom were hit by the ransomware cyberattack WannaCry, delaying surgery for patients. The potential for things to get much worse is real.

Opportunities and Threats

Yet, the opportunities are so great, that organisations have no choice but to manage the threats that the information age brings.

So the key point of this talk is:

Good information security is dependent on dynamic organisational governance of cyber security.

An Information Security Management System can help organisations become resilient to the dynamic threat

What is it?

So what is an Information Security Management System or ISMS and how can it help me and my organisation?

To answer that, we need to look at three questions

  1. Why should my organisation care about cyber security?
  2. Who is responsible for organisational cyber security?
  3. What does good cyber security look like?

Because I have found that many senior executives find it difficult to answer these questions for themselves and I’m going to give you good reasons to take back to your organisations to make change happen.

Why should my organisation care about cybersecurity?

Your organisation is an information business

At the risk of repeating myself, whatever else it does, your organisation is an information business. Information is the lifeblood of a modern organisation. A cyber attack can mean your organisation’s information goes to the wrong people, is changed or is removed. Even worse, you may not even know this has happened for months.

The legislative and regulatory environment will continue to become more stringent as the cyber threat increases

eg GDPR

The GDPR is not the first regulation to place responsibility on organisations for protection of specific data. The introduction of the GDPR is part of an ongoing trend for legislation and regulation striving to catch up with the changes in technology and society that the information age has brought us.

You are probably aware that as early as 1995, the European Council adopted the Data Protection Directive which aimed to protect individuals’ personal electronic data.

PCI DSS does this for credit card information around the world. The Health Insurance Portability and Accountability Act (HIPAA) did this for personal health information in the USA.

GDPR requires organisations to map their personal information holdings. But mapping under GDPR is not just another classification exercise. It also requires the organisation to correlate the data back to an individual, a country of residence, consent, purpose of use and more. Under GDPR it’s not enough to just know the personal data content; it’s also essential to know the context of the data because the organisation is the steward of the information, not the owner.

The increasing reputational and financial damage suffered by organisations that are hacked

In many ways this is related to the previous point. The outrage that the public expresses every time another organisation loses their data is growing.

Some organisations have tried to hide that they have been hacked. Uber and Equifax are alleged to have done this, but any conspiracy is almost always revealed quickly. Mandatory reporting provisions are putting increased pressure on organisations to reveal breaches quickly and to show how organisations are dealing with cyber events

Where this doesn’t happen, the public is voting with their feet. This is having direct impacts on the tenure of leaders, CEOs and boards. For listed companies, it is impacting their share value directly.

When the GDPR comes into force in May this year, to repeat for emphasis, fines of up to 4% of the organisational turnover are possible where organisations are shown to be negligent in the protection of EU citizen’s personal information. This will be a very significant increase over the previous regimes.

Who is responsible for cyber security

This one’s easy.

It is the owner of the cyber risk

That’s the board or CEO of the organisation. These are the people that regulators are increasingly targeting when things go seriously wrong.

It is not the ICT manager, the CIO, or the security manager. The decisions on how much cyber risk the organisation should take comes down to the CEO and Board. The organisation leader needs to make those decisions in an informed manner that balances relevant stakeholders’ perspectives.

Goldilocks Security

I call it ‘Goldilocks Security’ – that which is just right for the organisation, not too much and not too little.

Goldilocks security is different for different organisations. Cybersecurity is a series of tradeoffs between the confidentiality of information, its integrity and its availability.

If you think about it: The most secure information is completely inaccessible to all and pretty useless.

There needs to be a balance.

How does the board and CEO become informed about cyber risk?

They use experts who understand the threats, vulnerabilities and consequences of cyber attack, and communicate in business-ese to the board, but they retain the decision making for themselves.

Time to move away from the word ‘Cyber’

By the way this is probably the time to tell you that I don’t really like the word ‘cybersecurity’, and prefer the term ‘information security’.

Cyber tends to make people think only of computers and networks. This then can lead to the responsibility for cyber being put solely on the shoulders of the CIO or ICT manager.

Words Matter – and as hard as it is to change the way we talk, we need to make the change.

We have to continually remind ourselves that people are both the central cause and the primary victims of information security attacks.

Weaknesses in human behaviour are still one of the easiest ways of compromising any organisation.

What does good security look like?

So now we get to the crux of the matter.

Good organisational cybersecurity is tested, systematic and repeatable, however, for many organisations it is anything but like this!

Developing cybersecurity maturity is not an overnight process, but it is possible. The most difficult aspect is committing to required changes and implementing organisational governance that embeds accountability and realistic assessment of risk.

This requires a certain amount of bravery on the part of executives.

Unfortunately, our experience is that many organisations need a compelling event, such as a major breach, before they take cyber security seriously. However, it doesn’t have to be this way for change to happen.

The organisational leadership can create an Information Security Management System or ISMS.

The Information Security Management System (ISMS)

An ISMS is a set of better practice, policies and procedures for systematically managing an organisation’s information.

The ISMS operates by identifying, assessing and managing information security risks resulting from internal and external threats exploiting the organisation’s vulnerabilities.

The goal of an ISMS is to

  • manage the risk of a cyber event occurring on an ongoing basis in a holistic manner; and
  • minimise the impact on the organisation if and when a cyber event occurs.

A Strategic Decision

Implementing an ISMS is a strategic decision for the organisation. Implementation requires CEO and Board commitment – because they own the risk.

At the strategic level, the CEO / Board create an ISMS committee which has responsibility for the organisation’s information security. The committee meets regularly and oversights the development of a structured approach for organisations to develop better enterprise security by dynamically monitoring and improving information security effectiveness.

Cyber risks are assessed at a holistic level. Sometimes, the organisational leadership will decide to take more cyber risk in order to achieve a business objective. The important thing is that it is done with full knowledge of the risk – both positive and negative.

When the ISMS committee operates in this manner, the organisational cybersecurity stance evolves to meet the increasing threat and the organisational business needs.

Minimising the impact of a cyber event. Or…. You will be compromised

I mentioned before that information security is all about tradeoffs. Tradeoffs between your people being able to access the information they need to do their jobs – availability. Tradeoffs that information is correct – integrity. Tradeoffs that information doesn’t fall into the wrong hands – confidentiality.

It is a legacy of the old cyber security thought that many security people worry more about information confidentiality than integrity and availability, rather than worrying about what the business needs to achieve its objectives.

Bringing information security to the board level, means that decisions about tradeoffs must be made, particularly in tight fiscal environments.

Sometimes it will go wrong….

Even with an ISMS in place, there is always a risk that an information security event occurs. When it does, the organisation must respond. Good cyber response involves much more than the ICT area.

Whilst the technical response is occurring, the organisation needs to work out how to respond to stakeholders, what if anything to report to authorities etc.

One of the key aspects of the GDPR, as I’ve mentioned earlier is the mandatory reporting of data breaches. An ISMS brings together key stakeholders to consider risks, including the data protection officer, who can consider the impact of a breach from a GDPR perspective and advise the organisational leadership about the implications, if any.

However, like a fire drill, cyber response needs to be practised.

A smooth response to an event can minimise the impact on the organisation significantly. In my experience, the technical response to cyber incidents works better than the non-technical response, simply because the techs are responding to minor incidents day in and day out, but for other parts of the organisation, it is not their day job.

Recovering (more) gracefully

There are multiple examples (eg Uber, Equifax) of companies handling data breaches badly. However, here’s a case of one that was handled well from a public relations perspective.

In Australia, the Red Cross Blood Bank was compromised in 2016. Over 500,000 blood donors’ personal information was exposed publicly.

At that time, it was not mandatory to report breaches of personal information.

However, the Red Cross was proactive in informing the public and the Australian Privacy Commissioner. In doing so, Red Cross made the best out of a bad situation by displaying transparency and showing that they were doing their best to fix the problems.

By getting on the front foot, the Red Cross maintained the public’s trust in the blood system.

http://www.abc.net.au/news/2016-10-28/red-cross-blood-service-admits-to-data-breach/7974036 https://www.oaic.gov.au/media-and-speeches/statements/australian-red-cross-blood-service-data-breach

In summary

Why should my organisation care about cybersecurity?

Care because your business is information (whatever your business)

  • Your business is information
  • The GDPR is just the next step in a global tightening of Legislation and Regulation for organisations operating in cyberspace.
  • If you don’t play by the rules and you get caught, your reputation and finances will suffer

Who is responsible for cyber security

  • The owner of the risk, generally the CEO, Agency Head or Board
  • The CEO needs to make informed decisions about how much security is just right – Goldilocks security
  • Your security and ICT people help the leadership make informed decisions. They need to translate geek-speak into business-ese

What does good security look like

• An information security management system is recognised as the better practice for information security and is eminently applicable to the data protection requirements of the GDPR.

• An ISMS evolves continuously to meet the changing risks. It is not ‘set and forget’ and only works if the risk owner engages with it.

• You will be compromised. Practice your cyber response at the organisational level, not the ICT level.

CONCLUSION

We are well into the information age. Information is the lifeblood of the organisation. The days when somebody from IT was responsible for cybersecurity are long past.

Executives responsible for organisational success must take ownership for cyber security. Cyber is just another risk category like finance.

Establishing and running an information security management system is recognised as the best way to manage and balance information security and privacy risks for organisations.

A well run ISMS helps the organisational leadership understand the value of its information and take advantage of the opportunities of the information age as well as reducing the downside risk.

The GDPR is part of a continuum of regulation that will force organisations to design security for citizen data across its entire lifecycle into their processes. The provisions relate not only to technology, but also to policies and employee behaviour. The policies and practices that are instituted to meet the requirements of the GDPR can also be applied to improve information security across the whole organisation.

Developing cybersecurity maturity is not an overnight process, but it is possible. The most difficult aspect is committing to required changes and implementing organisational governance that embeds accountability and realistic assessment of risk.

You have the power to make cybersecurity happen in your organisation. Start today, by creating your information security management system board. Make sure that the CEO is at the table. Keep the scope small and manageable whilst you learn by doing.

Looking at the risks associated with GDPR would be ideal if your organisation hasn’t started. Once you understand what you’re doing, start expanding the scope.

 


Alex travelled to the Netherlands as a guest of Z-CERT, the Dutch Computer Emergency Response Team for healthcare (Zorg)  in January 2018.

Z-CERT’s website is https://www.z-cert.nl/