Cyber terrorism is now firmly on the agenda for the secret services with even James Bond and Jason Bourne getting in on the act. But whereas the NSA has been caught gathering covert intelligence online, with its hand firmly stuck in the cookie jar, MI5 and MI6 have taken a different tack, seeking to actively share intelligence with the commercial sector to bolster national security.
GCHQ and the information security sector have always enjoyed a close and long-lasting relationship though various initiatives under the CESG banner (originally known as the Communications Electronics Security Group although now usually just described as the National Technical Authority).
CESG informs and advises government on information security, provides standards, and pools the resources of information assurance and cyber security professionals. But what many may not realise is that it also has a responsibility to provide incident response and operational support by alerting existing systems to specific threats and vulnerabilities.
GCHQ announced this month that the spy agency will begin sharing intelligence on emerging threats to better assist businesses involved with the Critical National Infrastructure (CNI), such as energy providers and third parties.
The plan builds upon the CISP (Cyber Security Information Sharing Partnership) set-up last year to promote the sharing of intelligence on cyber threats. CISP has over 450 member organisations that notify each other about 215,000 abused IP addresses everyday, according to Cabinet Office minister Francis Maude.
Yet while it is commendable that the secret service is promoting the sharing of intelligence among commercial enterprise, are these organisations equipped to deal with this deluge of information?
How can organisations respond to such intelligence while maintaining business as usual? What processes should the board be putting in place in order to respond? Although, such questions may seem premature given that many corporate boards have yet to acknowledge the cyber security threat, much less factor it in to their business plans.
Earlier this year, Sir Jonathan Evans, former director-general of MI5 and non-executive director at HSBC on cyber security, spoke out about the lack of understanding at board level.
“The issue for the board is not, ‘do you understand the technology underlying cyber security?’” he said. “It is, ‘do you understand what cyber security means strategically for your business?’
“[To] understand the nature of the threat; to understand the information assets that are significant and important for your business, and decide on the basis of those two pieces of information; what your risk appetite is; and to make sure you can operationalise that, and that the executives know clearly.”
Clearly, one of the biggest hurdles is one of perception. Many organisations still see information security and the cyber threat as an IT issue. Security controls are seen as a cost burden involving numerous point solutions that can often be obstructive.
Bringing about a cultural change in the enterprise at board level is therefore challenging because of these financial and technical associations. But in reality, effective information security is more about process and people than product.
One of the best ways to get the board’s attention is to use language they are familiar with. By taking a business-centric approach that examines how the business operates it’s possible to pinpoint where changes need to be introduced.
>See also: Cyber security: do you know where you stand?
This approach is known as business process management (BPM). Part of the ‘agile enterprise’ movement, it’s a discipline that aims to evaluate and introduce change to increase efficiency through lean management systems. By combining BPM with data lifecycle management, processes can be appraised and structured to protect data and improve the way the business functions.
BPM also has a surprising amount in common with information security assessment. Both types of assessment look for weaknesses in business process; chinks in the armour that can be exploited or which leech productivity or revenue.
BPM looks for areas of duplication or crossover – pinch points and faults – and as such can be used to highlight where controls can be put in place.
This makes it far easier to demonstrate measurable ROI at board level, improving support for information security and demonstrating its relevance across the data estate.
If the CNI information sharing and CISP initiatives are to be worthwhile, the intelligence they provide must be acted upon. But how can organisations absorb this colossal amount of information and take action in real-time?
One approach might be to apply the analysis techniques more readily associated with big data processing.
Intelligence needs to interpreted, likelihood and impact assessed, and aversive action taken in real-time in order to be effective. So processes and reporting procedures need to be put in place that allow organisations to maintain critical business operations while protecting critical data.
Big data and fast data processing is paving the way for real-time response, but it’s also necessary to grapple with processing at a grass roots level.
Mapping the information estate, looking at the data lifecycle, adopting policies for what to do when data changes in state, and assigning responsibility are all basic information management techniques but they are seldom applied rigorously.
Equally, while many organisations have an incident response policy in place, few have tested them. In the event of a compromise, how does the organisation react? What is the reporting procedure? During the Waking Shark II exercise, which simulated a coordinated cyber attack across the City financial district, it was startling to hear that some organisations didn’t even take the rudimentary step of contacting the police.
In it’s ‘10 Steps to Cybersecurity’, CESG advises implementing an ‘Information Risk Regime’, which uses the risk appetite of the business to determine levels of risk that can be tolerated.
The cyber risk pain threshold for each organisation will vary, so this needs to be assessed rigorously, and the risk appetite communicated across the business to ensure engagement.
Of course risk will fluctuate, so threats need to be monitored on a regular basis and recorded in a risk register with the board kept informed to ensure buy-in.
A company-wide corporate security policy and information risk management policy will also ensure that risk management becomes ‘business as usual’ for staff and part of data management.
The spooks may be ready to share their intel with the commercial sector, but whether the commercial sector is able to act upon it will depend upon how well we have assessed, tested and refined our business processes to cope in a crisis.
Sourced from Louise T. Dunne, MD, Auriga