We use cookies to improve your online experience. Full details about our use of cookies can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies.

Allow Cookies
Disallow Cookies

Autumn SASIG 2014 highlights and call for action

"Corporate and cyber security - making business sense"

29th October 2014




"You don’t get better than SASIG – always useful with great speakers"


"Another excellent session – thank you and here’s to the next 10 years!"


"SASIG has done it again – a high quality event, wonderful speakers and extremely useful networking"


"After hearing so much about SASIG, I had high expectations for my first meeting. This exceeded all expectations by a mile."



The Security Awareness Special Interest Group (SASIG) was proud to bring its 10th anniversary celebrations to a close with the last main meeting of the year, hosted by Unilever in Victoria Embankment on 29th October. As always, it was a pleasure to see so many faces - old and new - and to listen to the numerous and diverse thoughts raised. After the busiest SASIG year to date, it was a fitting event to round off such a positive and valuable year.


The meeting was opened by Martin Smith, Chairman and Founder of The SASIG and The Security Company (International) Ltd. He began proceedings by reinforcing the need to ensure that CSOs, CISOs and their teams can communicate and cooperate better with their peers in other corporate functions such as HR, Finance and the major business lines. An audience of more than 100 senior security executives from both the private and public sectors took part in the discussions during the day, giving their views about the ways in which corporate and cyber security teams can collaborate effectively with their counterparts to protect the corporate and brand reputation, to counter the growing threat from the insider, and to carry out investigations that require expertise in multiple disciplines.


The morning session took the form of a panel discussion, which tackled the ways in which we can work towards aligning the security function with the core business strategy in order to get the Board’s attention. This involved a number of experts from across the industry, Sophie Keen (CIFAS), Tom Thackray (Confederation of British Industry), Simon Kendall (Department for Business Innovation and Skills), Colin Fraser (Sainsbury’s Bank), Jim Mulheron (Colt Technology Services Group Ltd) and Peter Piazza (ASIS International).


Simon started the panel session by giving an overview of the UK Government’s Cyber Security Strategy and highlighting its key objectives. He emphasised the importance of having cross-cutting knowledge, skills and capabilities in order to sustain cyber security objectives and ensure a safe cyberspace for UK Businesses. The Department for Business Innovation and Skills has been reaching into both technical and non-technical communities in order to raise awareness, share best practices, build capability and stimulate action within the security industry.


Sophie engaged with the audience about the work CIFAS is doing in order to mitigate the risks of both internal and external fraud within organisations. She emphasised the importance of the HR function in this matrix; HR have a key role to play in weaving security best practice into an organisation’s culture. Sophie also highlighted the importance of engaging with, and educating, all departments on what constitutes fraud at an early stage rather than at implementation stages.


Tom underlined the fact that whilst awareness of the importance of cybersecurity in organisations is typically increasing, it is clear that there is a disconnect between awareness and action, particularly among smaller enterprises. He highlighted that the cost of cyber attacks to businesses in the United Kingdom has been calculated at approximately £21bn annually and it is, unfortunately, complacency that threatens too many organisations. The CBI Intelligence First Guide sets out the steps that must be taken to ensure cyber becomes a cultural and behavioural issue within organisations, and why cyber security should be prominent in Board discussions now.


Colin focussed on the critical importance of translating the issue of security into the language of business economics and strategy, in order to gain top-down sponsorship and support from the C-suite. He stressed the fact that in order for security to be recognised as an enterprise-wide business enabler, the security programme needs to be defined in simple terms and in a way that relates to the key business objectives. Colin also emphasised the need for a close working relationship between the HR and Security functions. He reinforced the fact that security best practices must be entwined into the organisation’s culture and, as the arbiter of this culture, the Human Resource team has a fundamental part to play.


Jim highlighted the necessity to recognise and discuss security within a business context. The vernacular of the security team must primarily be one of business alignment, margins and strategy, not one preoccupied with technological lingo and security jargon. He reinforced Colin’s earlier comment that by showing tangible evidence of the economics of the security function, there is a greater likelihood of engaging, and getting top-down sponsorship from, the boardroom. Jim also suggested that by running the security function at full capacity and exceeding set expectations, the perceived value of security operations will increase in the eyes of the Board, and they will start to understand the importance of working closely with and expanding the security function.


Peter focussed on the lack of collaboration between the physical and cyber security functions and the importance of embracing a holistic approach of convergence in order to move forward. He emphasised that in order to create a collaborative security governance structure, it is necessary to remove the two “M’s” from the siloed security function; misperception and misunderstanding. Convergence, Peter explained, does not necessarily have to mean the physical integration of operations, but can take shape in the active collaboration between functions. He reinforced the fact that the synergy of physical, cyber and personnel security functions ultimately allows for more efficient and cost-effective security operations and greater protection of business assets. As Peter emphasised, this is a key element in aligning security with business objectives and encouraging the Board to accept the importance of integrating security into the framework of the enterprise.


The ensuing discussion covered topics including the definition of ‘cyber’ and dangers associated with ambiguous terminology in the security function, integration of security into the architecture of the business, the essential convergence between security and other key business functions, the necessity for continued awareness and educational programmes and what makes a security executive an effective business leader.


The afternoon session considered the security aspects of a miscellany of important and emerging cyber topics.


Peter Davies, Deputy Chief Constable – Lincolnshire Police, recently Chief Executive of the Child Exploitation and Online Protection Centre (CEOP), shared his views and experiences on the topic of ‘The Dark Web’. He emphasised that technology is not inherently good or bad, but it is human behaviour that determines the way in which technology is used. Peter highlighted that pure cybercrime and cyber-enabled crime is nothing more than simple crime – in the same way that cyber security is ultimately just security and should be handled as such. Peter explained that with its anonymity, encryption and purpose of denying surveillance, the Dark Web is becoming extremely difficult to identify, understand and manage. Then the question was also posed to the audience, ‘is the Dark Web a saviour of free expression or a criminal playground?’ The answers from the audience were neither resounding nor absolute.


Phil Cracknell, Head of Security and Privacy Services, Company85, followed on by discussing ClubCISO’s Realtime Maturity Survey and some interesting results. The Realtime Maturity Survey is an annual survey of UK-based Chief Information Security Officers from a variety of public and private sector organisations, with the aim of anonymously benchmarking their maturity. Amongst other results of the survey, Phil highlighted that over one-fifth of organisations never provide security awareness education or training and even where organisations are providing training, more than half have no systems in place to measure the effectiveness.


Martin Smith, Chairman and Founder, SASIG and The Security Company, discussed the increasingly prevalent topic of Internet Addiction Disorder. Addiction to social media, online gaming, gambling and cybersex is on the rise and the drivers behind this addictive behaviour are as powerful as any drug; the Internet has been referred to as ‘electronic cocaine’. Martin highlighted the very real problems this can cause at work, as well as at home, in terms of a potential increase in errors, impact on production and possible increase of employees taking risks. The cure for this affliction; unplug and reconnect.


Peter Wood, CEO, First Base Technologies LLP, shared his experiences in the penetration testing and security audit services and affirmed, once again, that the Mark 1 Human Being is the weakest link in the chain. Using results from a series of network penetration tests over the last 2 years, Peter demonstrated how, too often, simple vulnerabilities are ignored and it is the exploitation of these common vulnerabilities that can hold the greatest consequences for businesses. He reinforced the view that the advent of new technologies does not defend against the same old problems faced by organisations; time and again we see organisations from across all sectors fall victim to laziness, ignorance and carelessness.



To view the presentations from the Autumn meeting, please visit www.thesasig.com

Francesca Collins, Business Development Executive, The Security Company