Having not attended Scot-Secure before, but keen to hear more from those in the industry and organisations like those Brightsolid works with, I admit I was a little apprehensive and had some preconceptions about going to this ‘security-for-organisations’ conference. I went in expecting there would be a lot of FUD-casting about the ever-increasing and complex threats we were all facing and expecting a plethora of fancy acronyms that I wouldn’t know the meaning of. I also thought there would be talk of how the C-Suite weren’t listening to security professionals and weren’t investing sufficiently in the right tools and services which would feel like spend was the only solution. I expected some finger-wagging and shame throwing at some of the organisations who had fallen victim to security breaches, and I was waiting for the touting of a cornucopia of hugely sophisticated and expensive tools and services.
Virtually all those preconceptions were undone in my time at Scot-Secure, the key themes of the day concentrated on:
- the need to go back to basics around good security hygiene;
- good communication, people and processes being the only way to ensure successful investment in security tools;
- the effectiveness of concentrating on building strong security foundations to support activities, such as moving to the cloud;
The day started with some extremely candid presenters who all focussed on the simple and the known. As Greg van der Gaast, (Head of IS at the University of Salford, by way of some serious hacking and Government work) put it: “Vast amounts of breaches are rooted in incredibly simple stuff” quoting that 80% of issues that are often found by Security Operations Centres (SOC) are related to bad patching or configuration practices. He challenged fear of things like ‘zero day’ attacks as impractical because they rarely actually occur, and instead encouraged concentration on the everyday and the known. He also discussed how much could be done by security teams with existing tools – encouraging focus on greater communication with the organisation and citing the effectiveness of simple improvements such as better asset take-on and management. He used the example of the BA outage in 2017 which had, at its root cause, bad asset management when a change to a switch was deemed insignificant because those making it simply didn’t know it supported an organisation acquired in M&A activity a few months earlier. He highlighted the fact that no tools could have resolved this as they were simply never put on the system.
Federico Charosky (MD of Quorum Cyber) turned the idea of lack of investment in security on its head when he got the room on it’s collective feet and asked people to re-take their seats only when they hit the percentage at which they felt they were using security tools effectively. Most remained standing as he called out 100%, 90%… until he got to the 70’s and 60’s, and once he hit 50% and had made his initial point, he reflected that the biggest risk actually faced wasn’t lack of investment but wasted investment. While, arguably, the same assertion could be made for many non-security related tools in organisations, his point that organisations were “buying stuff they didn’t need, deploying it and not using it and therefore paying too much” garnered agreement around the room. Federico challenged security industry to do more to get the board ‘onboard’ by ensuring they can measure performance against risk and ensuring there were clear conversations about threats and risks to truly understand an organisations appetite.
Both speakers emphasised the need for security teams to get in the ‘mix’ of what was happening in the organisation, to ensure that processes weren’t just on paper but were followed and made practical sense. ‘Compliance certification’, said Federico, ‘is the result of what you are doing – not the point,” While Greg pointed out all of the organisations in the news-grabbing cyber threat stories of recent years had all of the certifications you’d expect… but the reality was different. Security teams needed to ensure that people and processes were working in real-life before investing in more tools or producing more metrics.
All this concentration on the ‘basics’, however, didn’t come with any scorn or blame-throwing at those who had been caught out. In fact, there was great understanding and empathy across the board, Sarah Armstrong Smith, in her session on dealing with major incidents, expressed it like this, “we are really all in the same boat when it comes to security”, going on to say that if most organisations were honest in a major incident situation they would be saying “we had multiple opportunities to fix things and we didn’t”. This sense of ‘all-in-it-together’ followed on into the afternoon session when we talked about moving to the cloud. There were a range of large and small organisations, those who were already in the cloud and those dipping a toe, but all talked about the need for solid foundations, and for getting the basics right. There was very little ego in the rooms with all organisations admitting blockers, barriers and challengers and wanting to get it right.
So, despite my apprehensiveness, being in this security crowd who focussed on being plain-talking, pragmatic and supportive, felt right at home. I also felt reassured about what we are doing at Brightsolid to concentrate continually on our basics and tools, such as our SOC that we continually invest in. Finally, I was reassured that our continued efforts to talk, plainly and simply, about security and how we can help is not only right for us, but reflective of a security industry that’s increasingly focussing on simple, clear and effective measures.