We use cookies to improve your online experience. Full details about our use of cookies can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies.

Allow Cookies
Disallow Cookies

New Year SASIG 2014 - key highlights and take home pointers

"Cyber security - adopting a new approach to answer the Board's concerns"

New Year SASIG: 14th January 2014


 Security awareness: New Year SASIG - Cyber security


Download the full PDF version: New Year SASIG 2014 highlights (PDF, 1.1MB) 

"What a privilege to be invited to such an interesting, relevant and above all, enjoyable day”, “The speakers and topics were very valuable and relevant”, “Informative and educational with a great atmosphere and good audience participation”, “This was my first SASIG experience and I will certainly be attending future events!


Hosted by EY in More London Place, The Security Company was proud to run the first Security Awareness Special Interest Group (SASIG) event of 2014 on 14th January. Celebrating its 10th anniversary this year, SASIG welcomed an outstanding panel of guest speakers and witnessed record numbers of delegates at the New Year event. It was a delight to see such a wide variety of companies represented and to listen to the many and varied opinions that were raised on the subject of ‘cyber’.


Martin Smith, Chairman and Founder of The Security Company, began proceedings by explaining how the New Year SASIG would address the question “we all want the answer to”, how to get the Board's attention when it comes to cyber security. Martin asked the delegates why cars have breaks. The answer - so they can go faster safely. He compared this analogy to a company that protects itself by investing in effective security awareness.


An audience of more than 150 senior security executives took part in the discussions during the day, and gave their views about what they are doing to engage their Board members in security initiatives.


Ken Allan, Global Leader Information Security Practice, EY, opened the event with his discussions around the need to adopt a new approach to answer the Board’s concerns. He pushed the message that everyone and every organisation is a target of cyber-crime. One third of the audience admitted to suffering a breach, but Ken said it was more likely that all companies have been breached and are being breached all the time. He said we need to recognise this and adopt this stance when talking to the Board so they provide the appropriate attention and resource for cyber security prevention.


Ken talked about EY’s 16th annual global information security survey, which found that:


  • Most companies needed to improve how they manage security issues, and
  • Information security teams are failing in the eyes of 4/5ths of Boards.


He explained that the most important thing to the Board is that the business survives. So talk business, explain that security could destroy business opportunities and show how you can support and protect it.


Ken said to prevent against cyber-crime companies need to “innovate, expand and improve”, emphasising the need to proactively prepare for new risks. Technology is changing rapidly and if we wait for things to become mainstream it’ll be too late to find solutions.


Ken then joined the panel discussion, which tackled the issue of Getting the Board’s attention. This involved a number of experts from across the industry, Simon Dukes (CIFAS), Volker Wagner (Deutsche Telekom), Jim Mulheron (Colt Technology Services Group Ltd) and Ken (EY).


Simon started the discussion stating that he was not a believer of using scare stories to attract attention. Instead he suggested we need to concentrate on the three Ps - profit, people and politics. A security breach impacts a business’s customers - costing money, reducing staff morale and damaging reputation. Making a company secure can improve the bottom line, enhance brand and make a profit. He also explained the need to think about the insider threat and recommended that security professionals use wider political examples of breaches to explain to the Board what might happen and to put threats into context.


Volker confessed that “it is not easy to turn board members into security believers”. He emphasised our advantage is that business is influenced by society and government legislation – which is increasingly focused on cyber-crime. He said we should also focus on two priorities all companies are in danger of – 1) cyber-crime, computer fraud and theft, and 2) espionage. He recommended finding out what the ‘crown jewels’ are to the Board and then demonstrating a business understanding of these priorities and how security is relevant to supporting them. He advised delegates to seek attention through positive messages, as well as bad, to turn the security function into a success story. He also covered networking with the Board, finding innovative solutions, making the budget go further and helping the company beat its competitors.


Jim focused on the fact that every organisation is different and that for some their key stakeholders aren’t the Board. He stressed the importance of understanding your business and stakeholders to find out who has influence. Build trust to become a key player and engage with the business in a way they want to be engaged with. He emphasised the need to make the business understand where weaknesses are, where they could lose money and how you can help. “It then becomes a business issue, not yours, and they will understand the value you add to the organisation”.


The following discussion covered topics including bring your own device culture, behavioural change, two way communications, measuring security awareness to illustrate what you’ve done, the need to be at the design table when systems are developed, the definition of cyber security and whether the modern Board is fit to make decisions around security if they don’t understand its importance.


Will Gardner, CEO, Childnet, talked about the importance of Safer Internet Day (SID) 2014, taking place on Tuesday, February 11, with the theme 'Let's create a better internet together'. The theme promotes the responsibility that all users have in making the internet a safer place. For companies it’s about the human factor. Many employees will be parents and this will be the hook to change the way they behave online and encourage them to be more informed.


Safer Internet Day has now spread to more than 100 countries worldwide. In the UK 40 percent of those who heard the SID messages said they had changed their behaviour online as a result of the day.


Ways you can celebrate the day include:


  • Register as a supporter by adding your company logo to the supporters' page. More than 100 organisations have already joined.
  • Join in with a coordinated tweet, called a Thunderclap, which will be sent out on the morning of SID to promote the event. Join the Thunderclap by registering your Twitter account details.


Joe Di Vanna, Managing Director, Maris Strategies, shared his views through A discussion on one of the three corporate boardroom taboos: Sex, politics and security. In other words: Sex – Security for EXecutives and Politics - Potential Of Litigation in Information Technology Infrastructure and Communications Security.


Joe talked about how perception is what drives decisions in the boardroom and how sometimes they base their security strategy on irrational fear. He used the example that you’re more likely to die slipping in the shower than in an earthquake but people still get earthquake insurance. This illustrated how important it is to put risks into context and rationalise them for the Board, so they can react appropriately. He recommended that measures should also be put into context, in terms of what the business needs and the level of threat those measures will prevent. In addition, it is important to put exaggerated media stories into perspective to aid the Board’s thinking.


He talked about putting together suggested “deterrence, detection, delay and response” methods before presenting them to the Board, to convince them of your plan of action.


To demonstrate how threats and preventative measures are ever changing and the need to prepare for future risks Joe took SASIG delegates through some examples of historical security methods.


Joe also explained that 90 percent of identity theft takes place at the rubbish tip, as a reminder of human behaviour and human responsibility for security.


Ben Aung, Government Security Secretariat, Cabinet Office explained the changes that are due to take place to The Government Classification Scheme this April (2014). There are currently six levels, which were developed for a paper age and in the context of old threats. Ben explained how this was no longer fit for purpose and that many find it confusing and misuse it. The changes will see the six levels reduce to three: Official, Secret and Top Secret. It is hoped this new system will create more consistency and help organisations work together better. Ben also emphasised how important it is for the private sector to be aware of the change, as well as the public sector, so that they are able to do business and understand one another effectively. The new system requires people’s “active use of judgement” and will be a significant culture change. Find the new policy on the GOV.UK website.


Stewart Room, Partner, Field Fisher Waterhouse talked through Data Protection and other emerging legislation reforms that relate to data and cyber security. He illustrated the law reform agenda by talking through what changes are happening now, what is staying the same and what changes are due to come in the future. Specifically he looked at the Data Protection Regulation, the Cybersecurity Directive and the Payment Services Directive. He advised delegates to watch Telco and ISP, as any changes will indicate potential law reform in the European Union. During the discussion, Stewart explained the similar nature of the law and their reforms in both the EU and US to support business and trade. However, the incentives to adhere to the legislation differ from country to country. To conclude, Stewart emphasised that reforms won’t change a company’s obligation to regulate and suggested that organisations should be encouraged to tell people when things go wrong and put measures in place to improve how they deal with information security.


Rhys Bowen, Deputy Director Cybercrime Business and Skills, Office for Cyber Security and Information Assurance, Cabinet Office discussed the role of The Cybersecurity Information Sharing Partnership (CISP). He began by talking through the objectives of the UK National Cyber Strategy and the work of the Cabinet Office and CISP to support UK business around cyber security. CISP was set up to support companies in the UK and followed US best practice. It now has more than 300 members. Its role is to improve information sharing and exchange about cyber threats and provide a secure online platform on which to do this. He looked at the support for UK industry in terms of awareness, incentives and support structures. Rhys also championed that cyber security should be part of any due diligence process, which is why the information CISP produces is predominantly aimed at board level. He shared the range of Government resources available to help manage cyber threats and actively encouraged involvement with the CISP initiative.


Key pointers from the day...


  • Remember the human factor:  Board members are people too. Just like your employees it might be difficult to change their behaviour. Make sure they understand that cyber security has an impact on the things they care about – profit, people and politics.
  • Talk business:  Understand your business, talk the language, know your products and assets, and demonstrate how you can help support the organisation.
  • Become a key player:  Find out who your key stakeholders are and who has influence. Network and engage with the Board in a way that suits them. Be innovative and give them the positives as well as the negatives to demonstrate your successes.
  • The world is changing:  Be aware of how changes to law, legislation and the Government Classification scheme could impact your business. Also, look ahead and prepare for security risks of the future, rather than trying to manage them when they arrive. Use these changes and the changing behaviour of society and technology to support discussions with the Board about security awareness.
  • Put things into context:  Explain the actual impact of potential risks to the business, its people, customers and its profits, rather than the exaggerated scare stories often portrayed in the media. Show the rationale and benefits for investing resources, time and money into appropriate security awareness measures to mitigate these risks.