"This isn’t an IT department issue or problem, it’s a business issue."
ALAN PHILLIPS, PA SECURITY EXPERT
PA’s Alan Phillips and Dan Haagman, security experts, are interviewed by Stephen Pritchard for a podcast in the Financial Times. Dan and Alan examine whether the board is paying enough attention to information security.
Here is a transcript of the interview.
Stephen Pritchard (SP) – We speak to Alan Phillips and Dan Haagman, security experts at PA Consulting Group about the sometimes difficult relationship between information security and the board.
Firstly, we ask Alan why spending more money doesn’t always create a greater sense of security?
Alan Phillips (AP) – We have to look at what is important to the organisation. If we can zoom in on what’s important, then we can find out what an organisation’s worst nightmare is and we can focus in on doing some proper testing around that.
Dan Haagman (DH) – The important this is how you focus your spend. Having a clearly articulated direction which lines up with the strategy of the business and where the client is taking the brand and then ensuring that those things are taken care of is key.
AP – This isn’t an IT department issue or problem, it’s a business issue. We like to hear people talking about business issues, rather than the IT problems.
DH – This is a vendor driven market and there’s a lot of companies out there that spend heavily on marketing and promote products that claim to be the silver bullet for security. Any security professional will say that there is no such thing, but when it comes to board level attention the “why don’t we have one of those, if we bought one of those would it solve our problem” is a very attractive way out.
AP – Ultimately most of the security risks that we see and that the compromises that we come across are due to the people at the end of products who are running them. So a misconfigured fire wall: you may have the best one in the world, but one that’s got the wrong list in there that allows the wrong people to get in. Everyone makes mistakes, so these are things that need to be challenged and tested and that’s why penetration testing exists.
DH – Vendors create a lot of theatre around their security products; they have the panacea, it’s a wonderful solution and there is a real school of thought of “use your head first”, understand what is really affecting your organisation or what could affect your organisation and then tailor the investment and tailor the spend to really pin down the risks against those assets. And then we avoid this theatre and the feeling at the board that we’ve got all of these wonderful things with sensors everywhere, it doesn’t necessarily make you more secure.
SP – You’re right to say it’s fairly dull to talk about auditing and testing but actually if you have a better understanding of your business objectives and your security vulnerabilities then you can tailor where you invest, whether that’s in equipment, or software or people or training, on the biggest gaps and biggest threats. Do you think companies are doing enough of that and if not why have they perhaps not taken that step?
DH – There is a lot of activity in this space, however this activity often seems to be done because of a feeling it needs to be done as opposed to solving a specific objective. So, what we are trying to encourage is firms to not just take the deep technical penetration testing but to actually have an advisory component to help them work out what is important, what’s to be done in which sequence and then to take that really deep technical view. It is very important to map that against the risk and manage that risk, monitor that risk and see how it changes over time rather than doing a series of transactional tests which are “point in time” tests. Take those to the next level and make them part of a threaded strategy.
SP – What about the idea that you can’t keep building even higher walls and that at some point in time almost all organisations will suffer a security breach, but again many don’t prepare adequately for dealing with that. And more damage can be done sometimes when a company fails to respond correctly to a breach, than by the actually by the breach itself.
AP – Many companies do have a lot of spend on protection, but when an event happens it’s very distressing. People are unprepared and we see this a lot. Once someone has had a security compromise, if they don’t have a well-developed incident response plan then it’s going to take us quite a lot of time to be able to recover and address all the points that we need to. It is extremely important to make sure that when you are thinking about information security you are looking at all of the aspects. At some point, most people don’t think that their house is ever going to be burgled. If and when it does happen it comes as a big shock; we need to make sure that we are prepared for it. Attacks happens and a lot of these cannot be prevented because they may be from human error, for example a targeted email with an attachment that someone has opened – it’s a zero-day exploit which means an anti -virus won’t pick that up and once we get to that point we need to make sure that we close down those holes and get to the next business point which is recovery, protecting our brand, making sure that it doesn’t happen again and making sure we have all of the media statements ready.
SP - And also having people trained so that they know how to cope in more difficult circumstances.
AP – Absolutely. Training in this area is not very well utilised in some industries, but also from the forensics perspective, what happens after the event, what do you need to have in place.
SP – Alan Phillips and Dan Haagman of PA Consulting Group, on avoiding the theatre of information security and having the right incident response in place if things do go wrong.
You can listen to the podcast in full here. Dan and Alan’s interview starts 5 minutes 30 seconds into the recording.